[NTLUG:Discuss] Easy openldap

Thu Dec 2 12:20:52 CST 2010

On Wed, Dec 1, 2010 at 2:47 AM, Ralph Green <sfreader at sbcglobal.net> wrote:
> Howdy,
>  This is probably a ridiculous request, but I am an optimist, so I'll
> try.  I want to set up openldap to handle a small domain.  It needs to
> handle Windows and Linux machines, including a requirement that DC
> locator records are registered with the domain(I vaguely know what that
> means, and a Linux program needs it.)

>From this article it seems DC Locator records enable quickly and
easily finding the correct LDAP server using DNS in an AD site.
<http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx>

>  I just started reading the
> Openldap admin guide.  Is there such a thing a a quick, but thorough
> enough guide to openldap?

The OpenLDAP admin guide has a great list that can help answer the
"When should I use LDAP" question.
<http://www.openldap.org/doc/admin24/intro.html#When should I use LDAP>

> Can openldap serve as the AD for Windows 2003
> and Linux, or is that just crazy talk?
> Thanks,
> Ralph
>

I have a very interesting NTLUG personal archive of NIS vs.
LDAP/OpenLDAP vs. AD vs. LDAP/OpenLDAP+AD Questions & Answers. Chris
Cox is the resident expert.

The following is from a Question & Answer email on another mailing list.
(Q) Has anyone here implemented a multi-computer configuration using LDAP?
If so, I'd like to hear about it.
(A) Yep. I ran it for a while. I used it for central user management
for Linux and Samba. I also stored AutoFS information in LDAP to all
of my Linux hosts had a common AutoFS configuration at all times.

(Q) I think I heard that Red Hat might also have some kind of application
like that
(A) That is the Red Hat Directory Server and the free version, the 389
Directory Server
<http://www.redhat.com/directory_server/>
<http://directory.fedoraproject.org/>

There's also OpenLDAP.
<http://www.openldap.org/>
When I was running my LDAP setup, I used OpenLDAP. I've never touched
the Fedora/Red Hat directory server.
and of course there is Active Directory, but that does require MS
computers to run it
The thing to remember about Active Directory is that it's much more
than just LDAP.
LDAP is just a directory service. It stores information like a
database. You can configure systems to pull information from LDAP much
like they would store the information in a local file, such as
/etc/passwd, /etc/group, or even MySQL or other kind of RDBMS. It just
stores stuff.
Active Directory, for example, provides Kerberos authentication, group
policies, and other stuff and happens to use LDAP as the place to
store the information. There are other server and client side pieces
and parts that make up what is known as a whole as "Active Directory".

(Q) So, I often hear people suggest using LDAP when I ask these
multi-computer configuration and management issues, but now I'm asking:
have any of you actually implemented such a thing, and if so, please
tell me/us about it.
(A) So LDAP is primarily used in large configurations as a means for
Single-Sign-On style authentication. Via PAM modules, Linux systems
can authenticate against an LDAP server. That way, there's one place
for your users and groups and you don't have to worry about keeping
that in sync on multiple systems. This is particularly important when
using a lot of shared storage via NFS and keeping file ownership and
permissions straight.

Like I said before, there are other things you can setup to use LDAP,
such as AutoFS. In the past, I have setup OpenFire and Zimbra to get
user information from an LDAP server. There have been a few web-based
applications that I've setup as well. It all depends on if application
X supports LDAP and for what it uses it for.
To get your LDAP server up and running, there are plenty of howtos out
there that will get you up and running. A word of warning, LDAP has a
lot to it. It's easy to get overwhelmed with it and you should get
some understanding of it before relying on it too heavily.
On most Linux distributions these days, there is an easy way to setup
your system to authenticate against an LDAP server. On Fedora/Red
Hat-based systems, there is authconfig and authconfig-gtk.

So why did I stop using the setup? It was a pain and for the few
systems I had, totally not worth it. I guess I did it as one of those
do-it-to-see-what-it's-about projects.

The OpenLDAP admin guide has a great list that can help answer the
"When should I use LDAP" question.
<http://www.openldap.org/doc/admin24/intro.html#When should I use LDAP>