From owner-freebsd-chat Tue Nov 12 20:18:17 2002 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 046CD37B401 for ; Tue, 12 Nov 2002 20:18:16 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E761843E42 for ; Tue, 12 Nov 2002 20:18:12 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAD4I0c01924; Tue, 12 Nov 2002 22:18:00 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gAD4Hx527739; Tue, 12 Nov 2002 22:17:59 -0600 (CST) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAD4HuX27732; Tue, 12 Nov 2002 22:17:56 -0600 (CST) Message-ID: <3DD1D39C.A6E248A6@centtech.com> Date: Tue, 12 Nov 2002 22:22:52 -0600 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.6.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Terry Lambert Cc: freebsd-chat@freebsd.org Subject: Re: LDAP Admin? References: <3DD13BE2.8000902@centtech.com> <3DD14FE5.7DAC9339@mindspring.com> <3DD15ADF.7070600@centtech.com> <3DD18044.A928D4AD@mindspring.com> <3DD18850.2050700@centtech.com> <3DD18E9D.4ACC4A13@mindspring.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Terry Lambert wrote: > Eric Anderson wrote: > > I'm using it to replace NIS, and pull my MS network in with my UNIX > > network for authentication. > > If you are doing this, then you should know that you can not > replace an "Active Directory" server with an OpenLDAP server, > and successfully use it to authenticate MS clients. The only > think that works now is to deploy an MS Active Directory Server. I don't have an Active Directory server. I have an old NT4 PDC, and I'd like to get rid of that and have a samba PDC with LDAP ties. > As far as integrating MS clients to UNIX servers, that's a > different matter. Do a web search for "NIS GINA"; it's a > client authentication package, which allows an NIS server to > be used to authenticate MS clients. > It's more the other way around for me - I have several hundred Linux machines, a hundred or so Solaris boxes, FreeBSD for all the good stuff, etc. I'd like to make all the boxes use LDAP, and rid myself of NIS. > > > I just need some simple stuff like pw changing tools, user > > adding/deleting tools, but was looking for what people use before I > > start to get it deployed. > > Generally, you edit a template and import it via "ldapadd", > or you use PHPLDAP to add a record, after filling out the fields. > > For passwords, they are generally stored as ciphertext, with > the cipher type embedded at the front of the ciphertext, in > braces, e.g. "{md5}xxyyzz", etc.. In other words, the data > contents are as generally exposed as NIS data contents, so a > dictionary attack is a possibility. I know about this.. this is a pain I'll have to deal with going from NIS to LDAP, but it's worth the effort I think. > Probably your best bet is to query the Samba community, and > potentially, the OpenLDAP community. Hmm.. ok.. you're right.. I find the FreeBSD community to be much more "up on the times" compared to some other groups. Thanks Terry.. Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message