Is there a way (without using the SSO Krb5 route) to just use om_ldap to authenticate to a Win2000 AD server? I know this is not too hard using the openldap client... but om_ldap.conf seems to have much fewer options available (such as bind DN etc.).
Any thoughts or ideas on how (or if) this can be done?
LDAP authenticate to AD
Moderators: ScalixSupport, admin
-
Valerion
- Scalix Star
- Posts: 2730
- Joined: Thu Feb 26, 2004 7:40 am
- Location: Johannesburg, South Africa
- Contact:
You can always try the pam_ldap module, if you know that will work for you.
You will need abefore the but it should work fine.
Maybe test the pam_ldap first using another app (maybe shell logins?) before you try to integrate it into Scalix.
You will need a
Code: Select all
auth required om_om2authid.soCode: Select all
auth required pam_ldap.soMaybe test the pam_ldap first using another app (maybe shell logins?) before you try to integrate it into Scalix.
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
As a side remark....
doing Kerberos doesn't necessarily mean going down the SSO route - you can use pam_krb5 which has nothing to do with SSO, it is still Username/Password against Kerberos.
While both om_ldap and pam_ldap should be somehow possible, configuration for krb5 is MUCH simpler, it supports password changes through a Scalix client and it should be more performant and efficient and secure as well. The only downside is that even in a non-SSO situation the scalix-ual Kerberos principal must be created on the Windows side.
-- f.
doing Kerberos doesn't necessarily mean going down the SSO route - you can use pam_krb5 which has nothing to do with SSO, it is still Username/Password against Kerberos.
While both om_ldap and pam_ldap should be somehow possible, configuration for krb5 is MUCH simpler, it supports password changes through a Scalix client and it should be more performant and efficient and secure as well. The only downside is that even in a non-SSO situation the scalix-ual Kerberos principal must be created on the Windows side.
-- f.
Florian von Kurnatowski, Die Harder!
-
kali
- Posts: 64
- Joined: Sat Oct 29, 2005 12:13 am
Thanks Valerion and Florian,
I did discover that the pam_ldap (external) module works perfectly - after some tweaking. It does not require anything on the AD side (such as krb5 does) which has made it much easier for the client.
This approach is not really documented anywhere, but I think has real validity and applicability as you can sync users via omldapsync, but still use AD authentication both externally and internally.
I did discover that the pam_ldap (external) module works perfectly - after some tweaking. It does not require anything on the AD side (such as krb5 does) which has made it much easier for the client.
This approach is not really documented anywhere, but I think has real validity and applicability as you can sync users via omldapsync, but still use AD authentication both externally and internally.
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Well,
if you want, you can always contribute the full setup back to the community. I would suggest using www.scalix.com/wiki for this.
-- f.
if you want, you can always contribute the full setup back to the community. I would suggest using www.scalix.com/wiki for this.
-- f.
Florian von Kurnatowski, Die Harder!
Who is online
Users browsing this forum: No registered users and 11 guests