Hi, Is it possible to have Fedora DS and have the password lookup redirected to Active Directory? Some kind of proxy lookup. Take the case of Mac OS X server and clients, they have Open Directory and the password manager can authenticate against the Active Directory. Is it possible to have FDS without the password? So I would like to know, is it possible to achieve the same for FDS using Samba, Winbind or NSS?? Is it possible that the FDS has all the user permissions and special groups but the authentication is turned to AD. I know the passwords are hashed by Kerberos and hope we can achieve this with some effort. A useful post by Microsoft http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog Thanks, Prashanth
To elaborate the question: Is it possible to have a Pass-Through authentication system as with OpenLDAP? About Pass-through Authentication http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat ion Another post by Microsoft: I am hoping this setting can help me read the user passwords to authenticate against. http://www.advproxy.net/ldapads.html Prashanth On 7/13/09 1:13 PM, "Prashanth Sundaram" <psundaram@wgen.net> wrote:> Hi, > > Is it possible to have Fedora DS and have the password lookup redirected to > Active Directory? Some kind of proxy lookup. Take the case of Mac OS X server > and clients, they have Open Directory and the password manager can > authenticate against the Active Directory. > > Is it possible to have FDS without the password? > > So I would like to know, is it possible to achieve the same for FDS using > Samba, Winbind or NSS?? Is it possible that the FDS has all the user > permissions and special groups but the authentication is turned to AD. I know > the passwords are hashed by Kerberos and hope we can achieve this with some > effort. > > A useful post by Microsoft > http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog > > Thanks, > Prashanth
On 07/13/2009 10:13 AM, Prashanth Sundaram wrote:> Hi, > > Is it possible to have Fedora DS and have the password lookup > redirected to Active Directory? Some kind of proxy lookup. Take the > case of Mac OS X server and clients, they have Open Directory and the > password manager can authenticate against the Active Directory. > > Is it possible to have FDS without the password?See the PAM Pass-through plug-in: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through> > So I would like to know, is it possible to achieve the same for FDS > using Samba, Winbind or NSS?? Is it possible that the FDS has all the > user permissions and special groups but the authentication is turned > to AD. I know the passwords are hashed by Kerberos and hope we can > achieve this with some effort. > > A useful post by Microsoft > http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog > > Thanks, > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
----- The following is an automated response ----- to your message generated on behalf of david.donnan@thalesgroup.com Subject: Out of the office Hello. I''m out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan
Thanks Nathan. I found some old threads discussing the same issue. https://www.redhat.com/archives/fedora-directory-users/2006-November/msg0030 1.html Question1: Do I still need PassSync.msi installed on the Win server? Question2: How does this work exactly? This is what I understand: Any user who log on, the query first goes to FDS and then PTA-plugin quries the AD. Question3: What is exactly AD Chaining? I get the literal meaning that, AD is a symlink to the ldap DB on the FDS. I would like to know clear distinction between the two. (AD Chaining and Pass-thru) I am sorry, if I am repeating any questions. I am new to unix and learning on my own. Thank you so much, your help is greatly appreciated. Prashanth
Prashanth Sundaram wrote:> Thanks Nathan. > > I found some old threads discussing the same issue. > > https://www.redhat.com/archives/fedora-directory-users/2006-November/msg00301.html > > Question1: Do I still need PassSync.msi installed on the Win server?No.> > Question2: How does this work exactly? This is what I understand: Any > user who log on, the query first goes to FDS and then PTA-plugin > quries the AD.PAM passthrough works via pam - similarly to how OpenLDAP goes through saslauthd - so if you have some PAM module that can auth against AD (except LDAP which probably won''t work) you can configure PAM passthrough to pass the auth to that PAM module, then to AD> > Question3: What is exactly AD Chaining? I get the literal meaning > that, AD is a symlink to the ldap DB on the FDS. I would like to know > clear distinction between the two. (AD Chaining and Pass-thru)With chaining, you have _no_ local data in the directory server - all of the data is pulled from AD. With PAM passthrough, just the _auth_ is done against AD - you still have to have the local data in the directory server> > I am sorry, if I am repeating any questions. I am new to unix and > learning on my own. > > Thank you so much, your help is greatly appreciated. > > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Well thank fuck for that. So glad I know a complete stranger is on holiday... On Mon, Jul 13, 2009 at 10:14 PM, <david.donnan@thalesgroup.com> wrote:> ----- The following is an automated response > ----- to your message generated on behalf of > david.donnan@thalesgroup.com > > > Subject: Out of the office > > Hello. I''m out of the office from 10 July 2009 until 20 July 2009 > (inclusive). > > Thanks, David (Dave) Donnan > > > > > > > > ---------- Forwarded message ---------- > From: Prashanth Sundaram <psundaram@wgen.net> > To: "fedora-directory-users@redhat.com" <fedora-directory-users@redhat.com > > > Date: Mon, 13 Jul 2009 17:15:40 -0400 > Subject: [389-users] Re: Password lookup to AD > Thanks Nathan. > > I found some old threads discussing the same issue. > > > https://www.redhat.com/archives/fedora-directory-users/2006-November/msg00301.html > > Question1: Do I still need PassSync.msi installed on the Win server? > > Question2: How does this work exactly? This is what I understand: Any user > who log on, the query first goes to FDS and then PTA-plugin quries the AD. > > Question3: What is exactly AD Chaining? I get the literal meaning that, AD > is a symlink to the ldap DB on the FDS. I would like to know clear > distinction between the two. (AD Chaining and Pass-thru) > > I am sorry, if I am repeating any questions. I am new to unix and learning > on my own. > > Thank you so much, your help is greatly appreciated. > > Prashanth > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >