Re: Help with: openldap / active directory / sasl

2010-08-13 Thread Tom Buskey 
On Thu, Aug 12, 2010 at 9:06 PM, Bruce Dawson j...@codemeta.com wrote:

 If I remember correctly Active Directory requires Kerberos.


We recently upgraded our AD servers  they now require Kerberos for Samba
servers to join the domain.

I think you can modify AD to allow other authentication.
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: Help with: openldap / active directory / sasl

2010-08-13 Thread Benjamin Scott 
On Thu, Aug 12, 2010 at 9:06 PM, Bruce Dawson j...@codemeta.com wrote:
 If I remember correctly Active Directory requires Kerberos.

  Active Directory is basically NTLM plus LDAP plus Kerberos plus
dynamic DNS plus some proprietary Microsoft glue.

  I know Windows computers in an Active Directory domain definitely
use Kerberos for authentication.  It's been that way going back to the
first release in Win 2000.

  Samba can act as a native AD member.  When used that way, one has
to configure Kerberos on the Samba box.  Samba can also act as an NT
domain member.  That uses the old NTLM protocol and doesn't require
Kerb.  (Windows/AD supports NT domain members as Pre-Windows 2000
clients.  However, NTLM is nothing like LDAP, so that doesn't help
the OP much.)

  It may be possible that AD Domain Controllers support other LDAP
auth methods.  If so, it may be that they are not active by default.

  I've got a Perl script I use to extract email addresses from AD.
There's no mention of Kerberos in it.  I just fed it a username and
password and it worked.  However, it may be that Perl's LDAP libraries
automagically use Kerb if needed.  It's also possible Perl is picking
up the Kerb config done on the same box for Samba.  It could also be
that the password is going plaintext across the wire, or some other
magic is happening.

  Ah, Google to the rescue!  This query was useful:

http://www.google.com/search?q=%22Active+Directory%22+%22DIGEST-MD5%22

  The results reminds me that DIGEST-MD5 requires a shared secret.
That is, the client and server both  have to have the password in
plaintext.  Just like Unix, Windows stores passwords only as hashed
values by default.

  The Windows GUI for Active Directory member management is called
Active Directory Users   Computers; it lives in DSA.MSC.  When
you bring up the properties for a user in that thing, one of the
options you can set under the Account tab is something like Store
password using reversible encryption.  I've never used it but I bet
that's what the OP needs.

  Note that storing passwords this way is a security exposure.  If you
can use Kerberos instead, you're probabbly better off.

  Note that simply enabling this option doesn't magically let Windows
un-hash a hashed password.  Perhaps Windows can  grab the plaintext
password the next time the user logs on and store it then.  (That may
not be possible, given the design  of Kerberos.)  If not, the user
would have to change their password before a plaintext password was
stored.

-- Ben
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Help with: openldap / active directory / sasl

2010-08-12 Thread Flaherty, Patrick 
Hey All, 

I'm trying to bind to LDAP interface using SASL. The ldap interface is
running on an active directory server.

Using a basic un/pw bind works: 
 ldapsearch -h somead.local -b  -s base -x -D myu...@myrhelm -W

Outputs what I would expect, but

ldapsearch -h somead.local -b  -s base -Y DIGEST-MD5 -D
myu...@myrhelm -W

Outputs:
 Enter LDAP Password: 
 SASL/DIGEST-MD5 authentication started
 ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: 8009030C: LdapErr: DSID-0C09043E, comment:
AcceptSecurityContext error, data 0, vece

I'm a bit stumped.

I was under the impression that sasl/digest-md5 was it's own
authentication method, that I didn't have to have a kerb ticket to make
the call. It's common for linux ldap to ad connections to have Kerberos
setup, I don't think it's necessary. Googling around for an answer has
been a study in futility.

Anyone know the magic for doing sasl auth against an ad server? I know
there the server is set up for reversible passwords, so I don't think
that's the issue.

Why does LDAP+AD hate me? I'm a fun guy! I just wanna chat with it about
some stuff...

Patrick

___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

Re: Help with: openldap / active directory / sasl

2010-08-12 Thread Bruce Dawson 
If I remember correctly Active Directory requires Kerberos.

Unfortunately, its been almost a year since I worked on that project,
and I don't remember much. Maybe some of the Microsoft/Linux interface
members can help?!

--Bruce

On 08/12/2010 06:14 PM, Flaherty, Patrick wrote:
 Hey All, 

 I'm trying to bind to LDAP interface using SASL. The ldap interface is
 running on an active directory server.

 Using a basic un/pw bind works: 
  ldapsearch -h somead.local -b  -s base -x -D myu...@myrhelm -W

 Outputs what I would expect, but

 ldapsearch -h somead.local -b  -s base -Y DIGEST-MD5 -D
 myu...@myrhelm -W

 Outputs:
  Enter LDAP Password: 
  SASL/DIGEST-MD5 authentication started
  ldap_sasl_interactive_bind_s: Invalid credentials (49)
 additional info: 8009030C: LdapErr: DSID-0C09043E, comment:
 AcceptSecurityContext error, data 0, vece

 I'm a bit stumped.

 I was under the impression that sasl/digest-md5 was it's own
 authentication method, that I didn't have to have a kerb ticket to make
 the call. It's common for linux ldap to ad connections to have Kerberos
 setup, I don't think it's necessary. Googling around for an answer has
 been a study in futility.

 Anyone know the magic for doing sasl auth against an ad server? I know
 there the server is set up for reversible passwords, so I don't think
 that's the issue.

 Why does LDAP+AD hate me? I'm a fun guy! I just wanna chat with it about
 some stuff...

 Patrick

 ___
 gnhlug-discuss mailing list
 gnhlug-discuss@mail.gnhlug.org
 http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
   
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

OpenLDAP

2002-11-21 Thread Kenneth E. Lussier 
Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd
like to be able to create/modify objects, etc. faster, and without as
much typign ;-)

TIA,
Kenny

-- 

Tact is just *not* saying true stuff -- Cordelia Chase

Kenneth E. Lussier
Sr. Systems Administrator
Zuken, USA
PGP KeyID CB254DD0 
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB254DD0


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: OpenLDAP

2002-11-21 Thread Thomas Charron 
Quoting Kenneth E. Lussier [EMAIL PROTECTED]:
 Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd
 like to be able to create/modify objects, etc. faster, and without as
 much typign ;-)

http://freshmeat.net/projects/awebdap/?topic_id=28%2C68%2C243%2C129

I tended to like that one..  Searching freshmeat for LDAP Web reveals many, 
though..  Take yer pick..  ;-)

--
Thomas Charron
-={ Is beadarrach an ni an onair }=-
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: OpenLDAP

2002-11-21 Thread pll 

In a message dated: 21 Nov 2002 14:35:27 EST
Kenneth E. Lussier said:

Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd
like to be able to create/modify objects, etc. faster, and without as
much typign ;-)

Read this months issue of LJ, the entire issue is devoted to LDAP.
-- 

Seeya,
Paul
--
It may look like I'm just sitting here doing nothing,
   but I'm really actively waiting for all my problems to go away.

 If you're not having fun, you're not doing it right!


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: OpenLDAP

2002-11-21 Thread John Abreau 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Content-Type: text/plain; charset=us-ascii

Kenneth E. Lussier [EMAIL PROTECTED] writes:

 Does anyone know of a good GUI or web-based browser for OpenLDAP? I'd
 like to be able to create/modify objects, etc. faster, and without as
 much typign ;-)

Yes and no. I poked around on freshmeat.net for something like that, after 
setting up LDAP on Monday by following the article in Linux Journal. 
GQ worked reasonably well; I could add all sorts of stuff the existing 
LDAP entries, but I couldn't see any way within GQ to add a completely
new entry. I ended up just writing a shell script that would create a 
dummy entry with a specified UID, which I could then edit with GQ.


- --
John Abreau / Executive Director, Boston Linux  Unix
ICQ 28611923 / AIM abreauj / JABBER [EMAIL PROTECTED] / YAHOO abreauj
Email [EMAIL PROTECTED] / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iQCVAwUBPd1vvVV9A5rVx7XZAQJgYAP/boy/h/3aShyuLY3N5C3bVQKWRO4qA5XH
+rvv2+UoDH8OooDgtg+oxwuOxEIzNuBYCedr956G2OqF8NqGOT69e5zsHwOZvbUn
c0sRhtK7O5gVB8hJ9/aOIXXhTMAQIasE6FLjcP8VOY2HpB5t7hZl3YKokeuMRDrE
oROZKIotGIE=
=8RJj
-END PGP SIGNATURE-

___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

Re: OpenLDAP book?

2002-10-08 Thread pll 


In a message dated: Mon, 07 Oct 2002 13:46:12 PDT
Ken Ambrose said:

Hey, all.  It appears to me that OpenLDAP has an almost complete dearth of
dead-tree documentation.  Is this true? 

Ayup!  I've been looking for a good book on LDAP of *any* kind for a 
couple of years now.  There are a 3 or 4 out there, but nothing 
really on technical side of running an LDAP server, and getting 
information into and out of it.  There seems to be a lot on building 
applications to *use* an already existing LDAP server, which really 
doesn't do you much good if you can't figure out how to set the damn 
thing up and populate it to begin with!

Does anyone know of a reasonably good book that is still in print
that I might be able to find?

There's one by Marc Wilcox, published by Wrox Press, called 
Implementing LDAP.  The book focuses mostly on the Netscape server, 
and is a couple years old, but has a decent amount on OpenLDAP as 
well.  The focus on the Netscape server is due to Marc's involvement 
with and development for Netscape I assume.  The book is pretty 
decent, but still not the Sysadmin's Guide to OpenLDAP I'd prefer 
existed :(

HTH,

-- 

Seeya,
Paul
--
It may look like I'm just sitting here doing nothing,
   but I'm really actively waiting for all my problems to go away.

 If you're not having fun, you're not doing it right!


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss

OpenLDAP book?

2002-10-07 Thread Ken Ambrose 

Hey, all.  It appears to me that OpenLDAP has an almost complete dearth of
dead-tree documentation.  Is this true?  Does anyone know of a reasonably
good book that is still in print that I might be able to find?  Just
looking for implementation -- but preferably in English, as opposed to the
stuff on openldap.org.  (Okay, it's not that bad, but it is darn terse and
almost inpenetrable for a relative newbie to LDAP.)  And while this may
seem redundant, I'm looking for it to be specifically regarding OpenLDAP,
and _not_ another high-level overview of why LDAP is cooler than
[NIS|NDS|NIS+|etc.], which seems to grow in proliferation.

Thanks!

-Ken


___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss