[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP-GINA: Was Re: A possible way to have NT authentic against LDAP

Subject: LDAP-GINA: Was Re: A possible way to have NT authentic against LDAP
From: salvador.salanova@pas.udg.es
Date: Fri, 21 Jul 2000 10:55:06 +0200
Cc: openldap-general@OpenLDAP.org, salvador.salanova@pas.udg.es
References: <00070700514204.00675@frid.internal.net> <3965706A.61AA2391@valinux.com>

Hi,

Some time ago there was a discussion on this topic GINAs NT and LDAP,
and I told someone on the list that I was working in this direction and
he asked me for the modules when they were ready, but I can remember
who.

I have been working on PAM-Gina amb finally, some days ago, I have got
it working: It is able to check a users' username and password and check
them againts an LDAP server, in my case OpenLDAP, of course ;-)

It is more a proof of concept than a working piece of software but it
works, now I have to make it usable.

The problem:
-we have several computing classrooms running NT in different faculties,
where students just sit and begin working at the workstation, there is a
generic user without password, this is the one that students use
-there is no a unique way in which the faculties have configured their
classroms, different domains, different generic users, different
software, etc
-we do not know who is sitting at the workstations, is he a student or a
foreigner?
-being anonymous, the users feel confortable and try to abuse their own
workstation and others

The solution:

I would like to install the smallest piece of software which
1-asks the users for their usernames and passwords
2-checks them against an LDAP server
3-if valid username and password then impersonate the generic user, so
current configurations are applicable
4-records logins and logouts in a central loghost
5-allows certain filters to reject certain groups of users (ex: students
for one faculty that try to use workstations on another faculty) or
individuals
6-Configuration options for 
...set of ldaphosts and corresponding ports
...search base
...DN and password for users performing searches
...loghost
...filter
...bypass users
7-Allow login even when no LDAP server is reachable.

What I have done until today: 1, 2, 3 and administrator bypasses ldap

What stills to be done: 4, 5, 6, 7 and test it.

Problems I have:
1- I do not like NT
2- Its the first time I write a program under visual C++
3- Its the first time I write a program under WinNT amd win32

Well if someone, is interesed in helping or testing such a clumsy piece
of software dop me a mail.

Cheers.

Salvador Salanova Fortmann

Gerald Carter wrote:
> 
> Lars Nordin wrote:
> >
> > www.linuxworld.com/linuxworld/lw-1999-11/lw-11-integration_p.html
> > on an Open Source program for NT workstations to authentic
> > against NIS uses an NT API for authentication.
> >
> > I skimmed the article and realized that using the same Windows
> > NT GINA API could be used to have NT clients authentic
> > against LDAP.
> 
> Same thoght I had.  Never could find an existing implementation
> though.  The Univerisity of Michigan was working on a PAM GINA
> I think.  Maybe something down that avenue.
> 
> Cheers,
> jerry

References:
- A possible way to have NT authentic against LDAP
  - From: Lars Nordin <lnordin@noblesys.com>
- Re: A possible way to have NT authentic against LDAP
  - From: Gerald Carter <gcarter@valinux.com>

Prev by Date: Re: How to find server root DN?
Next by Date: Modelling certificate directory service using LDAP?
Index(es):
- Chronological
- Thread