Ok. I have some questions that I wanted to get some feedback on regarding LDAP.

Briefly, I am going to be setting up a Linux server with Samba acting as the PDC. LDAP will also be installed.

My manager is convinced that LDAP is going to be used for authentication. Now, I know that you can setup LDAP for authentication, but Samba should work just as well for user authentication and allowing certain users access to specified shares. Is this correct?

Anyone else care to share some experiences with LDAP? I know that LDAP is a place to store information about employees in the company. I cant help but think that Samba will do what we want (user authentication, access to shares etc) just as well and be a bit easier.

Any comments?

Tarballed

what? no takers. :bluegrab:

Clock is ticking. j/k

hehe

Tarballed

Samba can do LDAP auth if you compile the support in, if the rest of your network is setup to authenticate to an LDAP db that might be the reason they want you to look at it. I myself have never tackled LDAP and everytime I've looked at it my head starts swimming. I know minion has done some minor LDAP work but I think the extent of that might of just been to setup a company address book.

Samba can do LDAP auth if you compile the support in, if the rest of your network is setup to authenticate to an LDAP db that might be the reason they want you to look at it.

Interesting point. If my users are all going to be using Windows 2000 Professional, would LDAP even work? I know you can setup Linux and *BSD to use LDAP for authentication, but I never considered Windows.

Hmm.

Tarballed

yeah sure it can, samba will take care of where to send the authentication to. Your windows box need only know how to talk to samba.

I was hoping you would say something like "LDAP wont work for user authentication with Windows stuff.!" hehehe

I've been doing some research and it is really going to be the hardest part of the whole setup.

Tarballed

Ok, ok. LDAP is big ang ugly but it's not *that* scary. There are a lot of recent LDAP how-to's that should help you out.

Check out this link on deadly.org (don't mind the ugly-ass ip, deadly's having DNS issues lately):

http://64.90.164.50/article.php3?sid=20030423092225

This is quite helpful as well, particularly the LDIF schema explanation!!!:

http://www.onlamp.com/pub/a/onlamp/2002/10/17/essentialsysadmin.html

As for Samba, why don't you give samba-tng a whirl?:

http://www.samba-tng.org

Here's a quote from the faq you might find interesting, in particular pay attention to the last paragraph discussing LDAP and a PDC:

Which should I use - Samba or Samba-TNG?

If you just want a file and print server, use Samba. They have a lot more developers than we do (so far!) and are able to support a much wider range of platforms and situations. At present we are neither willing nor able to try to outrun Samba in file and print serving; it is simply not our focus.

If you want a replacement for an NT primary domain controller, you can use either project. The main philosophical difference is that the Samba project wants to produce a Unix server capable of acting as an NT domain controller, whereas the Samba-TNG project wants to basically be an NT domain controller running on Unix. The other difference is that Samba-TNG is somewhat more advanced in terms of protocol support, although Samba is catching up and may be ahead in some areas.

If you want an NT domain controller running with an LDAP backend, optionally integrated with your LDAP-based Unix user database, you probably want to use Samba-TNG. Samba has some experimental support for this, but Samba-TNG has had it working for much longer so it is more mature.

There ya have it. All of the above is the direction I intend to take myself given the next opportunity. Speaking of which.... anyone need a BSD Sys Admin? I'm in the job hunt... will travel :lol:

Good stuff. Thank you minion. I will definitely take a look at that. That could come in handy and hopefully, reduce any potential headaches.

I will keep everyone posted on how everything is going when it starts.

Thanks everyone.

tarballed

If my users are all going to be using Windows 2000 Professional, would LDAP even work?

I hate to break this to you but ldap is what Active directory is based on. Sure they have hacked with some Microsoftisms but the base is ldap. I think Windows 2000 clients would do just fine since they are looking for it anyway in a domain controller situation.

Active Directory stores user, groups, machine accounts, printer shares, corporate address book(s) and so much more. OpenLDAP can give you all this functionality plus the ability to troubleshoot and tweak like Active Directory can't do. You can tie NDS into it if you have some fairly recent Novell boxes you want tied in. I read a good article on how to tweak OS X server to use Active Directory and OpenLDAP is trivial compared to that. LDAP can be used to authenticate BSD's, Linux, Solaris, OS X, etc. so it can give a single signon across platforms if that is the goal. If you are using CUPS with IPP for your print server(s), you can put your printer info and make it real easy to find and add printers for your Win2k clients.

Do you really have to use LDAP with Samba? Not really but you will look the hero if get all this integrated.

Will there be enough tarballed to go around without imploding? Probably not. Maybe you can get some help with parts of it and you can lay the groundwork to add the parts in that don't get done on the first couple rounds.

Offer me enough incentive and I'll fly out for a couple weeks. I have to some vacation time to burn. :wink: Maybe you can get a Screaming Electron crew together to go crazy with you. At least you won't go down in flames alone. 8)

Keep posting questions. I'm not much for starting discussions but I'll jump in if they are going.

Offer me enough incentive and I'll fly out for a couple weeks.

Heck, give me remote access via ssh and some s/keys and I'll send an invoice :lol:

I am expecting quite a challenge from LDAP. I honestly believe it will be the hardest part of the whole setup.

What I am trying to figure out and research is, do I even need to use LDAP for authentication? Wont Samba suffice for authenticate for users as well as give access to certain directories and files?

I can see setting up LDAP for a company Address book, to hold information about employees and stuff. However, for authentication, I dunno. :)

Anyways, stay tuned. Our servers are being shipped next week, so I would imagine I will start hacking away on it Wednesday of next week.

In the meantime, I want to get my Dual Boot NetBSD/FreeBSD box up asap.

Thanks everyone.

Tarballed

What I am trying to figure out and research is, do I even need to use LDAP for authentication? Wont Samba suffice for authenticate for users as well as give access to certain directories and files?

You don't need to use ldap for samba, but ldap will help down the road when everyone wants single signon for everything, since many apps provide ldap support for authentication.

Yes you can get by without it. I would suggest planning to use it down the road and putting together the framework together now for it even it isn't initially used. It's a lot easier to decide to dump it later than to try to put it in down the road.