Author Topic: directory authentication  (Read 2975 times)

andrewmcafee

  • Newbie
  • *
  • Posts: 3
    • View Profile
directory authentication
« on: March 30, 2012, 02:24:25 PM »
Any tested methods for directory authentication? Active Directory, eDirectory, openLDAP, etc. 

jnetman1

  • Administrator
  • Hero Member
  • *****
  • Posts: 285
    • View Profile
Re: directory authentication
« Reply #1 on: March 31, 2012, 11:24:08 AM »
Directory authentication is definitely do-able with all of the directories you mention, however the limitations and complexities of being tethered to a directory typically outweigh the benefits with mobile devices. For Active directory, there are both free and commercial solutions, as you might expect. OpenLDAP (which we use for all of our servers) is free, of course, and Novell obviously supports Linux authentication to eDirectory (they are a Linux provider, after all). I've authenticated Linux clients using all three mechanisms, and generally believe that the costs outweigh the benefits.

AD/Windows Authentication

I've personally used winbind authentication, which is probably the quickest and easiest path, against AD and Samba servers running on Linux successfully. You can read about getting that set up at https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. If you want to go after full Kerberos SSO and the like, there is documentation at https://help.ubuntu.com/community/ActiveDirectoryHowto. Once you start to head down that path, the commercial solutions, like Centrify and Likewise will definitely be worth a look.

LDAP

LDAP authentication is part of Linux's DNA, so getting set up for this is fairly straightforward. Basic LDAP authentication can be accomplished with the ldap-auth-config and ldap-auth-client packages - see https://help.ubuntu.com/community/LDAPClientAuthentication for details. Of course, you'll need to have a properly configured LDAP server at your disposal, which can technically be any LDAP compliant server with the right schema extensions. OpenLDAP is free, of course - you can learn about setting it up at https://help.ubuntu.com/community/OpenLDAPServer. Oreilly also has a really good book titled LDAP System Administration, which was something of an LDAP bible for me when I was first getting started. Using a MacOSX server (which uses OpenLDAP for it's directory) might also be an easy way manage an OpenLDAP server for your Linux clients, although I haven't looked into it personally.

eDirectory

Good luck on that one. I did it once about a decade ago when Novell first got into Linux using a solution similar to the one posted at http://www.novell.com/coolsolutions/feature/5706.html, but haven't looked since. I know they have some sort of extended client, which they talk about here: http://www.novell.com/products/clients/. I've heard bad things about trying to get the client to work on anything but SuSE, so you'll probably be better off sticking with a stock LDAP authentication. I would try a combination of the instructions in the Cool Solutions link above and the Ubuntu LDAP authentication link in the LDAP section above.

Cytochromec

  • Full Member
  • ***
  • Posts: 46
    • View Profile
Re: directory authentication
« Reply #2 on: April 03, 2012, 04:04:05 PM »
I used Likewise a while ago to test if network authentication was possible against our Active Directory. I was able to get it to work with some tinkering, but I forget all of the steps, and have now become a proponent of no-need-for-network-authentication  ;D

jnetman1

  • Administrator
  • Hero Member
  • *****
  • Posts: 285
    • View Profile
Re: directory authentication
« Reply #3 on: April 09, 2012, 09:27:42 AM »
Don't know why I didn't think of this before: One of the main reasons most people want to authenticate ubermix to a "network infrastructure" is because they are deploying it is a "shared use" setting - like a lab or mobile cart - where each device might be used by several people. In such an environment, a user's ability to customize the machine might not be what you want, as the following user might be confused by the customizations of a prior user. While authenticating each user is certainly one way to solve the problem, a simpler way is to set the devices to auto-reset at startup, thus guaranteeing the default "look" every time. This only costs about 30 seconds of startup time (depending on the speed of your hard drives, of course), so it's really a no-brainer for most shared use applications.

You can learn more about Auto-Reset options at: http://wiki.ubermix.org/page/Auto-Reset

jnetman1

  • Administrator
  • Hero Member
  • *****
  • Posts: 285
    • View Profile
Re: directory authentication
« Reply #4 on: April 09, 2012, 09:32:01 AM »
Ronald Stoddard just posted a page in the ubermix wiki explaining how to authenticate to AD using CentrifyDN  :)

http://wiki.ubermix.org/page/Adding_Ubermix_to_Active_Directory_using_CentrifyDN

Note: If you are using a recent 0.9x version of ubermix, you shouldn't have to do any of the hostname-update changes listed on the page - the auto update script has been fixed as of v0.911.

andrewmcafee

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: directory authentication
« Reply #5 on: April 23, 2012, 05:56:39 AM »
All fantastic info. Thanks for taking the time.

FWIW, our need for directory authentication, at least for the moment, is access to shared and home drives managed by eDirectory. We are still running Netware 6.5 but working toward some form of migration in the near future.

jnetman1

  • Administrator
  • Hero Member
  • *****
  • Posts: 285
    • View Profile
Re: directory authentication
« Reply #6 on: April 23, 2012, 08:49:57 AM »
If you want to make ncp-ip mounts against Novell servers, install ncpfs using Synaptic, or sudo apt-get install ncpfs

pyperdown

  • Full Member
  • ***
  • Posts: 65
    • View Profile
Re: directory authentication
« Reply #7 on: July 10, 2012, 02:18:56 PM »
Directory authentication is definitely do-able with all of the directories you mention, however the limitations and complexities of being tethered to a directory typically outweigh the benefits with mobile devices. For Active directory, there are both free and commercial solutions, as you might expect. OpenLDAP (which we use for all of our servers) is free, of course, and Novell obviously supports Linux authentication to eDirectory (they are a Linux provider, after all). I've authenticated Linux clients using all three mechanisms, and generally believe that the costs outweigh the benefits.

LDAP

LDAP authentication is part of Linux's DNA, so getting set up for this is fairly straightforward. Basic LDAP authentication can be accomplished with the ldap-auth-config and ldap-auth-client packages - see https://help.ubuntu.com/community/LDAPClientAuthentication for details. Of course, you'll need to have a properly configured LDAP server at your disposal, which can technically be any LDAP compliant server with the right schema extensions. OpenLDAP is free, of course - you can learn about setting it up at https://help.ubuntu.com/community/OpenLDAPServer. Oreilly also has a really good book titled LDAP System Administration, which was something of an LDAP bible for me when I was first getting started. Using a MacOSX server (which uses OpenLDAP for it's directory) might also be an easy way manage an OpenLDAP server for your Linux clients, although I haven't looked into it personally.


This should work well for us.  We're finally dipping our toe in the water with 2 40-netbook carts, initially for shared usage but could be part of 1:1...

Our existing linux systems all authenticate and automount via OpenLDAP...  From later in the thread it appears that the autoreset could be a good thing for us.


pyperdown

  • Full Member
  • ***
  • Posts: 65
    • View Profile
Re: directory authentication
« Reply #8 on: November 01, 2012, 01:40:49 PM »
Well I got the ldap auth and ldap automount working - now launcher will not load.  Any thoughts?  Any issues with automounting NFS homedirs?  Alternative approaches I should look at?
« Last Edit: November 01, 2012, 02:45:44 PM by pyperdown »

pyperdown

  • Full Member
  • ***
  • Posts: 65
    • View Profile
Re: directory authentication
« Reply #9 on: November 02, 2012, 02:37:45 PM »
loaded a fairly vanilla edubuntu 12.04 and experiencing similar issues.  We are a bit different from most, I imagine, in that we are authenticating to OpenLDAP AND automounting homedirs via ldap automount maps AND nfs.

Had a small breakthrough in removing libnss-ldap and replacing with libnss-ldapd

Backing up working version and going to take another stab at ubermix...  Will post specifics back.

pyperdown

  • Full Member
  • ***
  • Posts: 65
    • View Profile
Re: directory authentication
« Reply #10 on: November 02, 2012, 04:09:06 PM »
OK...  libnss-ldapd IS the fix IF you need to automount ldap homedirs... 

Always nice to end a week on a "I killed a bear" note...