Re: Help with: openldap / active directory / sasl
On Thu, Aug 12, 2010 at 9:06 PM, Bruce Dawson j...@codemeta.com wrote: If I remember correctly Active Directory requires Kerberos. We recently upgraded our AD servers they now require Kerberos for Samba servers to join the domain. I think you can modify AD to allow other authentication. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Help with: openldap / active directory / sasl
On Thu, Aug 12, 2010 at 9:06 PM, Bruce Dawson j...@codemeta.com wrote: If I remember correctly Active Directory requires Kerberos. Active Directory is basically NTLM plus LDAP plus Kerberos plus dynamic DNS plus some proprietary Microsoft glue. I know Windows computers in an Active Directory domain definitely use Kerberos for authentication. It's been that way going back to the first release in Win 2000. Samba can act as a native AD member. When used that way, one has to configure Kerberos on the Samba box. Samba can also act as an NT domain member. That uses the old NTLM protocol and doesn't require Kerb. (Windows/AD supports NT domain members as Pre-Windows 2000 clients. However, NTLM is nothing like LDAP, so that doesn't help the OP much.) It may be possible that AD Domain Controllers support other LDAP auth methods. If so, it may be that they are not active by default. I've got a Perl script I use to extract email addresses from AD. There's no mention of Kerberos in it. I just fed it a username and password and it worked. However, it may be that Perl's LDAP libraries automagically use Kerb if needed. It's also possible Perl is picking up the Kerb config done on the same box for Samba. It could also be that the password is going plaintext across the wire, or some other magic is happening. Ah, Google to the rescue! This query was useful: http://www.google.com/search?q=%22Active+Directory%22+%22DIGEST-MD5%22 The results reminds me that DIGEST-MD5 requires a shared secret. That is, the client and server both have to have the password in plaintext. Just like Unix, Windows stores passwords only as hashed values by default. The Windows GUI for Active Directory member management is called Active Directory Users Computers; it lives in DSA.MSC. When you bring up the properties for a user in that thing, one of the options you can set under the Account tab is something like Store password using reversible encryption. I've never used it but I bet that's what the OP needs. Note that storing passwords this way is a security exposure. If you can use Kerberos instead, you're probabbly better off. Note that simply enabling this option doesn't magically let Windows un-hash a hashed password. Perhaps Windows can grab the plaintext password the next time the user logs on and store it then. (That may not be possible, given the design of Kerberos.) If not, the user would have to change their password before a plaintext password was stored. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Help with: openldap / active directory / sasl
Hey All, I'm trying to bind to LDAP interface using SASL. The ldap interface is running on an active directory server. Using a basic un/pw bind works: ldapsearch -h somead.local -b -s base -x -D myu...@myrhelm -W Outputs what I would expect, but ldapsearch -h somead.local -b -s base -Y DIGEST-MD5 -D myu...@myrhelm -W Outputs: Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece I'm a bit stumped. I was under the impression that sasl/digest-md5 was it's own authentication method, that I didn't have to have a kerb ticket to make the call. It's common for linux ldap to ad connections to have Kerberos setup, I don't think it's necessary. Googling around for an answer has been a study in futility. Anyone know the magic for doing sasl auth against an ad server? I know there the server is set up for reversible passwords, so I don't think that's the issue. Why does LDAP+AD hate me? I'm a fun guy! I just wanna chat with it about some stuff... Patrick ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Help with: openldap / active directory / sasl
If I remember correctly Active Directory requires Kerberos. Unfortunately, its been almost a year since I worked on that project, and I don't remember much. Maybe some of the Microsoft/Linux interface members can help?! --Bruce On 08/12/2010 06:14 PM, Flaherty, Patrick wrote: Hey All, I'm trying to bind to LDAP interface using SASL. The ldap interface is running on an active directory server. Using a basic un/pw bind works: ldapsearch -h somead.local -b -s base -x -D myu...@myrhelm -W Outputs what I would expect, but ldapsearch -h somead.local -b -s base -Y DIGEST-MD5 -D myu...@myrhelm -W Outputs: Enter LDAP Password: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece I'm a bit stumped. I was under the impression that sasl/digest-md5 was it's own authentication method, that I didn't have to have a kerb ticket to make the call. It's common for linux ldap to ad connections to have Kerberos setup, I don't think it's necessary. Googling around for an answer has been a study in futility. Anyone know the magic for doing sasl auth against an ad server? I know there the server is set up for reversible passwords, so I don't think that's the issue. Why does LDAP+AD hate me? I'm a fun guy! I just wanna chat with it about some stuff... Patrick ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
OpenLDAP
Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd like to be able to create/modify objects, etc. faster, and without as much typign ;-) TIA, Kenny -- Tact is just *not* saying true stuff -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB254DD0 ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OpenLDAP
Quoting Kenneth E. Lussier [EMAIL PROTECTED]: Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd like to be able to create/modify objects, etc. faster, and without as much typign ;-) http://freshmeat.net/projects/awebdap/?topic_id=28%2C68%2C243%2C129 I tended to like that one.. Searching freshmeat for LDAP Web reveals many, though.. Take yer pick.. ;-) -- Thomas Charron -={ Is beadarrach an ni an onair }=- ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OpenLDAP
In a message dated: 21 Nov 2002 14:35:27 EST Kenneth E. Lussier said: Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd like to be able to create/modify objects, etc. faster, and without as much typign ;-) Read this months issue of LJ, the entire issue is devoted to LDAP. -- Seeya, Paul -- It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OpenLDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii Kenneth E. Lussier [EMAIL PROTECTED] writes: Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd like to be able to create/modify objects, etc. faster, and without as much typign ;-) Yes and no. I poked around on freshmeat.net for something like that, after setting up LDAP on Monday by following the article in Linux Journal. GQ worked reasonably well; I could add all sorts of stuff the existing LDAP entries, but I couldn't see any way within GQ to add a completely new entry. I ended up just writing a shell script that would create a dummy entry with a specified UID, which I could then edit with GQ. - -- John Abreau / Executive Director, Boston Linux Unix ICQ 28611923 / AIM abreauj / JABBER [EMAIL PROTECTED] / YAHOO abreauj Email [EMAIL PROTECTED] / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9 PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iQCVAwUBPd1vvVV9A5rVx7XZAQJgYAP/boy/h/3aShyuLY3N5C3bVQKWRO4qA5XH +rvv2+UoDH8OooDgtg+oxwuOxEIzNuBYCedr956G2OqF8NqGOT69e5zsHwOZvbUn c0sRhtK7O5gVB8hJ9/aOIXXhTMAQIasE6FLjcP8VOY2HpB5t7hZl3YKokeuMRDrE oROZKIotGIE= =8RJj -END PGP SIGNATURE- ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: OpenLDAP book?
In a message dated: Mon, 07 Oct 2002 13:46:12 PDT Ken Ambrose said: Hey, all. It appears to me that OpenLDAP has an almost complete dearth of dead-tree documentation. Is this true? Ayup! I've been looking for a good book on LDAP of *any* kind for a couple of years now. There are a 3 or 4 out there, but nothing really on technical side of running an LDAP server, and getting information into and out of it. There seems to be a lot on building applications to *use* an already existing LDAP server, which really doesn't do you much good if you can't figure out how to set the damn thing up and populate it to begin with! Does anyone know of a reasonably good book that is still in print that I might be able to find? There's one by Marc Wilcox, published by Wrox Press, called Implementing LDAP. The book focuses mostly on the Netscape server, and is a couple years old, but has a decent amount on OpenLDAP as well. The focus on the Netscape server is due to Marc's involvement with and development for Netscape I assume. The book is pretty decent, but still not the Sysadmin's Guide to OpenLDAP I'd prefer existed :( HTH, -- Seeya, Paul -- It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
OpenLDAP book?
Hey, all. It appears to me that OpenLDAP has an almost complete dearth of dead-tree documentation. Is this true? Does anyone know of a reasonably good book that is still in print that I might be able to find? Just looking for implementation -- but preferably in English, as opposed to the stuff on openldap.org. (Okay, it's not that bad, but it is darn terse and almost inpenetrable for a relative newbie to LDAP.) And while this may seem redundant, I'm looking for it to be specifically regarding OpenLDAP, and _not_ another high-level overview of why LDAP is cooler than [NIS|NDS|NIS+|etc.], which seems to grow in proliferation. Thanks! -Ken ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss