[SATLUG] SOHO LDAP

David Kowis dkowis at shlrm.org
Sun Jan 24 23:13:04 CST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/24/2010 2:15 PM, Frank Huddleston wrote:
> Greetings,
> 
>   Has anyone here  implemented a multi-computer configuration using
> LDAP? If so, I'd like to hear about it.

I have yes. I've set up a windows domain controller running samba at
work. LDAP backed, first using SMGL and second using Fedora and Xen. I
took one box, virtualized it so I could have multiple "redundant"
servers. (I know if the hardware fails I'm toast, but then we'd be toast
anyway, at least with virtualized servers, I can update one box without
risk of bringing down the entire authentication framework.) The
virtualization worked out quite well, I could take the master LDAP
server down for an update, and windows users could still authenticate,
if not change their passwords. I set up nagios to monitor the various
services I had running (on yet another virtual machine) so that I could
look at a single picture for the health of my network. Which is good,
because this wasn't my "primary responsibility." Being a software
engineer the company didn't see that I should be given much time to set
up the network, yet they expected it to be "secure." Maybe I have too
lofty a definition of secure, but it involves log correlation and
services monitoring. Takes time to set up, time I wasn't allowed, so I
did the best I could with the time I had. (sorry, got into a rant. I
could delete it from the email, but it helps describe the background as
to why I did things the way I did.)

I used the smbldap scripts to add and delete users

http://linuxwiki.riverworth.com/index.php?title=LDAP_Authentication#Samba_Authentication

I think has the relevant information.


> I remember about 1999-2000, Novell was sellling a kind of LDAP
> application that would do pretty much what the MS Active Directory does,
> but with a more eclectic set of clients. I don't know what happened to
> that: do any of you?
> I think I heard that Red Hat might also have some kind of application
> like that, and of course there is Active Directory, but that does
> require MS computers
> to run it, and I don't know how well it works with non-MS clients.

Redhat's fedora equivalent is the Fedora Directory Server:
http://directory.fedoraproject.org/

I haven't used it, but it's a package deal (or so it claims)

I set up the ldap servers at work by hand, since I had set them up by
hand in SourceMage and I was trying to reuse the configurations I had
prior. That worked for the most part. I had about 6 or 7 users, and
several things that they needed to authenticate against. Windows logins
for one, backuppc, and a couple other services. With LDAP I was able to
wrangle authentication against the LDAP server for just about everything.

>  I think Apple's OS X server uses some kind of LDAP directory, but,
> being OS X Server, is rather expensive, and expected to run on a Mac.
> A few years ago, I tried something that was called the "NetInfo Bridge",
> which was an application that was designed to allow interoperability
> between the OS X NetInfo, which is (or was?) some kind of quasi-LDAP
> system, and LDAP, in this case Open LDAP, I think. I had compilation or
> installation problems with my version of
> OS X, which by then I think was not the latest, and I think the NetInfo
> had changed some between the OS X releases. I messed with it for a
> while, then went on to other things, as so often happens.
> 
> So, I often hear people suggest using LDAP when I ask these
> multi-computer configuration and management issues, but now I'm asking:
> have any of you actually implemented such a thing, and if so, please
> tell me/us about it.

I have LDAP at home, but I need to rework it a bit. It's quite handy to
set up the same user account on many systems. Same with groups.

It can operate with single system groups as well. like I have a local
account for the Wii to use for homebrew smb access. But it needs access
to a group that's in LDAP. So I just add the wii user to that group in
ldap. `getent group` shows correctly and accurately.

It takes more planning and a bit more effort to configure, so it depends
on what your exact situation is.

If there are more specific questions regarding how I set thigns up or
why I did it the way I did, I'll try to answer them.

David Kowis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iQGcBAEBAgAGBQJLXShgAAoJEMnf+vRw63ObtcEL/jqscoBR899KoDbV1+rK74o9
WldQkDnx5atPoFFLbYC6nV2qKItu61qMc1X9eShFYVYl0heXpuaIlH3UbYBRTcay
lntJUk5hqKkoUMGFHowIv0dRxlmaBTVpqArOg+aKwVZA4CXJy7ODrrllIiFPR6ac
PpjpO1pgVKHNvzegvLWPZAQnt+New2mG2vYEUSxSnhHqNH38t+nNKJ7U5GDRIFsr
KAHCA8ZRJG/cFJnlle4a2yLNvpMkpj/tIhF7bcMluAHIZNOK2Lr4VYFBgWhcNpIJ
WbHYYbzGuZxtzNCDWm09VUwK2ur0lrAHVJ7wS9yBgio7wiJjDMONJZtiFJh0HlJt
mncZl+NmxBrIR4w7/Pg28DV/ccE7mrdnQKV1DE0U6TPjbrHt8BIrss605VYWaUKV
DSSRmUVSwff1ML2Z3fTvB84TQt7j1XeHsv9MK9kUWS2d1l4E9N5rNQPaYdBET1Ve
HTIyCwyAvi+Wtano1LJU4zOaTMREs7Nivt/7VQG1TQ==
=w+Ca
-----END PGP SIGNATURE-----


More information about the SATLUG mailing list