[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unified login (unix + windows)

Hi,
 
>It is a dream of mine to have all passwords and users
>in one Ldap-Server.
 
We have the same dream, but we plan to use another approach.
 
We are an engineer school, we need to have common worksations in classroom.
So each student has the same login, profile and personnal environment on each
workstation. Untill now, in the Win NT4 environment, no problem.  All account are managed
on the PDC/BDC servers with password policy rules for the change frequency, and password
format.
 We want to introduce Linux environment on the workstations, with the same login password,
using openldap with pam and nss.
Because our production environment is Win NT, we don't want to change the architecture.
for this reason : 
   - we decided to keep our PDC/BDC under WinNT and don't migrate these servers under
    SAMBA environment.
  - we don't plan to migrate now on Win2K and Active directory.
 
Not to have to synchronize the passwords between Win NT and Linux, we plan to authenticate
Linux users on the Win NT PDC server (using PAM-SMB module), and manage the Linux
accounts and profiles (name, group, uid, gid...) on the openldap server (using PAM-LDAP and NSS modules).
 With this configuration we only need  to synchronize the account description on the LDAP server
 using scripts. We keep our password policy managed on the PDC NT server.
 
To do that we need PAM-SMB, PAM-LDAP and NSS modules on the Linux configuration.
 
1) using PAM-SMB module for the AUTH  section in the pam.d files, we authenticate linux
     users on the PDC server
2) using NSS and PAM-LDAP in all other serctions of the pam.d file, we reference Linux user profile
    on the LDAP server.
3) we have to create and synchronize  Linux account profiles on the LDAP server using
   scripts to generate LDIF files with   the NT account descriptions (user name, uid and gid number, home dir...).
 
We have made tests on one workstation, it seem to work. Test user logs on NT or on linux using the
same account and pasword.
 We'll soon try this architecture in one classroom.
 
I hope this can help.
 
Jacques Landru
 
    -----oOo-----
 Jacques Landru
   mel:  landru@enic.fr
   web:  http://www.enic.fr/people/landru
   tel:  (+33) 3 2033 5556
   fax:  (+33) 3 2033 5598
 
 E.N.I.C.
 Cite scientifique, rue G. Marconi
 59658 VILLENEUVE D'ASCQ  Cedex
  web: http://www.enic.fr
  Tel: (+33) 3 2033 5577
  Fax: (+33) 3 2033 5599
    -----oOo-----