Ask MetaFilter questions tagged with ldap

LDAP ADAM Active Directory combining

fumbducker — Thu, 05 Nov 2009 12:05:13 -0800

how can i combine multiple AD domains into one directory for application authentication? can i use ADAM? we have some applications that need to authenticate users against our AD. we have 3 domains that are not child domains of any one master domain. the application can only use one directory at at time. can these 3 AD domains be combined into one directory, using ADAM or some other LDAP application?

How not to store plaintext passwords?

bottlebrushtree — Thu, 08 Oct 2009 09:56:51 -0800

Best practices for storing OracleDB/mysql/ldap/smtp/etc... system passwords for enterprise application integration use? I'm working with a vendor who currently is storing passwords in plain text in configuration files.

If you've ever configured Wordpress you are familiar with how your mysql password gets placed in plain text in the wp-config.php file.
This vendor is doing a similar thing for mysql, ldap, smtp, etc...

This has made some people uncomfortable.

I'd like some suggestions for best practices to minimize the use of passwords in plaintext (or trivially encoded text) in text configuration files.

These passwords are being used to drive external databases, ldap auth, smtp sending, etc...

Their Java / Tomcat application is expected to be running 24/7 as a Server. This particular instance will be on Windows Server 2003 though Linux is also supported.

It would be nice if it would be possible to have unattended restarting of the application without a user having to enter in a master password, but if that is the only solution we may be comfortable with it.

Some background:

The application uses LDAP to authenticate users (and hence has the LDAP system password in a configuration file)

The application stores its data in a SQL database (Oracle in this case, though they also support mysql. We have to stay on Oracle)

The application sends mail using SMTP

Thanks.

How to centralize adminsitration of multiple Unix machines (and others)?

Imhotep is Invisible — Wed, 09 Sep 2009 11:45:34 -0800

I'm curious as to what are the current "best practices" when it comes to centralized administration of a network of Unix (primarily Linux, but not necessarily so) machines? Essentially, what is the equivalent of Active Directory for a network with one or more Unix hosts? The immediate answer I come up with would be something like OpenLDAP plus PAM but what I'm looking for is the suite of tools (GUI and CLI apps) for managing the directory, deploying software, centralizing sign-on and security, managing printers, etc. In a perfect world, I would like to centralize administration of Windows, Unix, and OS X machines via a single directory service, though I imagine such a solution would be expensive and/or cumbersome if it even existed. Or is this something Samba 4 will do?

Rebuilding Ubuntu Server 8.04 Help!!

purenitrous — Tue, 17 Feb 2009 11:40:27 -0800

I recently lost a raid array on a ubuntu 8.04 server forcing me to rebuild it from scratch and/or restore data from backup. (I have copies of /var, /etc, and /home) The problem is I can't seem to rebuild the server so that it works exactly the way it did before, this is killing me!! (fyi... I inherited this system). My specific problem seems to be with Samba. I'm looking for help in two different ways... help 1) either figure out how to restore this system with what I've got backed up. Or fix samba so it works. See details below: The previous system was Ubuntu 8.04. I've got good backups of /etc /var and /home.

What I want to do is simply build a basic install of ubuntu server 8.04 and restore /etc and /var. But this fails, because I am missing packages. I don't know what packages need to be installed to make this system complete. It seems like there should be something in my backup of /var/lib/apt should be able to tell me what packages are missing, need to installed, or reinstalled.

If I can't restore the server with the strategy above, I guess I need to rebuild the thing from scratch... which is what I've been doing and leads me to my next problem: Samba, LDAP, name resolution, and/or other unknown problems....

Samba user authenticate to openldap directory on another network. I've got nss working. I can do a #getent passwd and see ldap data. I've got my secrets.tdb setup and it seems like samba can query ldap. But I'm not sure all the naming services are working. In my /var/log/samba/log.smbd I see some errors "warning: failed to create BUILTIN\Administrators group! Can Winbind allocate gids?". (smb.conf log level = 5)

anyhow, I can post whatever log files or config files that might be helpful.

Another interesting clue to what might be wrong.... I have a win2k and wink3 server that both have shares with permissions for users from the domain that the failed Samba server was advertising. On the windows servers I've added the IP address of the WINS server on the network that the LDAP server is located... now the windows servers at least show user info in the permissions dialog box for the shares. But folks still can not authenticate to these windows shares... access is denied because of invalid credentials (or something).

Any ideas?

TIA,
Dave

openldap password change webapp?

tarheelcoxn — Wed, 17 Dec 2008 08:17:24 -0800

Need a webapp to allow my users to change their own LDAP passwords. I've got slapd (openldap) running on an Ubuntu server. I have various webapps (mediawiki, trac, cacti, etc.) that auth against slapd. I'd like my users to be able to change their own LDAP passwords by going to a webapp, and I thought I might be able to use phpldapadmin for that, but no dice. Does anybody know of a (preferably standalone) webapp for allowing users to change their LDAP passwords? I do not currently give my users login shells, and most of them wouldn't be comfortable using a CLI to change a password anyway. If you know of something packaged for Fedora (the OS), that's good, too.

cross platform shared address book

cowmix — Fri, 10 Oct 2008 06:29:21 -0800

What is the best / easiest shared cross platform shared address book solution out there? I'm a part of a small organization (50 people) spread across the country. Our company uses Linux (Thunderbird), Mac (Mail.app) and Windows (Outlook). What is the best solution to setup that will allow all of use to share a common contact list? I'm assuming LDAP will be used for address lookups but what is the best way to allow people to add entries. If not a LDAP based solution, what else can we use?

Anyone had any success using Apple's portable home directory feature without OS X server or a linux server?

Brian Puccio — Fri, 20 Jun 2008 16:09:00 -0800

I've read this, this, this and a bunch of other sites. I've got a Mac Pro and a Powerbook I'd like to share home directories over, but I'd rather not purchase OS X Server or get a small machine up and running Linux to deal with authentication (LDAP). Anyone authenticate locally, but still use the portable home directories? Alternatively, anyone just unison their entire /user/ directory? Thanks!

Can Address Book (OSX) show all of the LDAP entries in the given search base?

odinsdream — Tue, 29 Jan 2008 16:10:06 -0800

Creating a shared address book on an LDAP server to be accessed from Mac clients. Can I somehow get the directory to show all of the entries without having to search for one? Goal: Company address book stored in the LDAP server on OSX Server, searchable and browesable by anyone authenticated.

Here's my problem. All of the tutorials I've found end with Address Book connected to the LDAP server, and the entries stored, but you have to type a name to get it to show up. There is no list of entries in the directory.*

How can I get Address Book to show all of the LDAP entries in the given search base? This is a very small company, there is no danger of queries returning thousands of entries.

This is not going to fly with the client. "What do you mean I type in who I'm looking for? I don't know who I'm looking for, if I knew that I wouldn't be looking for them."

Workgroup Manager

The Jesse Helms — Tue, 20 Jun 2006 12:36:56 -0800

I'm looking for a great end-user web-based LDAP interface. Something like GOsa or simpler, but that will run on OSX. For scale LDAP Admin is too low level. Thanks!

LDAP Netgroups Help?

dyno04 — Thu, 01 Jun 2006 15:15:46 -0800

I am looking for information on setting LDAP based netgroups for a fedora core multi-user environment. We are currently using a listfile setup, but would like to migrate to LDAP. I have a couple of books and searched all over google, but have not found a good tutorial to do this. Nate

Active Directory (LDAP) + Linux = passwords?

Mozai — Fri, 26 May 2006 11:11:19 -0800

Where do I find doccos that tell me how to authenticate my PAM-capable unix boxen against Microsoft's Active Directory? Microsoft says "well, just upgrade your 2003 Server Enterprise to 2003 Server Enterprise R2 !" which sounds like paying >$10,000 just so I can get a couple-hundred byte snap-in for AD.

I've seen very little documentation on this, although I'd think it would be very popular in a hetrogenous office network. You've already got a Domain Controller, running Active Directory, that everyone's workstation authorizes against. You've got a farm of Linux machines that can do the pam_ldap thing, and Active Directory speaks LDAP. However, just pointing pam_ldap at AD doesn't work because AD is missing stuff.

Message Board Software

yeahyeahyeahwhoo — Mon, 13 Mar 2006 06:28:07 -0800

Can anyone reccommend message board software that can run on Apache and authenticate through Active Directory / LDAP? For my needs this doesn't have to be free, but needs to be production quality.

Home Sync and Mac OS X

jasmeet — Tue, 07 Mar 2006 14:05:00 -0800

Does anyone know how to get the Home Sync function in Mac OS X working? I know you need Mac OS X Server working, which I happen to have access too. I read something about needing to setup at LDAP server, which I'm not sure how to do (but willing to learn)

I'd like to be able to get home, open up my iBook, and have it sync the home directory to a server at home, and then go to work, have it sync to a server as well.

proxy server authenticating w/LDAP?

spock — Tue, 02 Aug 2005 17:56:46 -0800

Anybody ever set up a proxy server that authenticates using an external LDAP server - so that (for example) off-campus university students can access third-party web services that are restricted to campus IP addresses? Well, it is worth a shot!

I'm guessing that I would be using Squid, but the configuration is intimidating the heck out of me. RTFM? Or do you have any pointers? I'm not interested in caching - just authenticating and presenting a campus IP number to the third party services.

polling LDAP for changes

sbutler — Thu, 09 Jun 2005 19:56:54 -0800

LDAPFilter: I'm writing an application that stores its configuration in an LDAP server. I'd like to have it poll the server and reload itself when the configuration changes. What's the best way to do this? My product will run on eDirectory, but I'd like to make it as compatible with other servers (primarily OpenLDAP) as possible. If I were just worried about eDirectory then I'd simply use the Revision attribute because it is incremented each time there is a change. Then I noticed that both OpenLDAP and eDirectory include the operational attribute modifyTimestamp which seems like exactly what I needed... at first glance.

The problem is with eDirectory, partitions, and replicas. The server I connect to will only hold a sub-reference of a partition with multiple read-write replicas. Thus, if I modify an object and then immediately read the modifyTimestamp back then I'm not guaranteed that I'll hit the same replica for both operations (and I might get the old timestamp instead of the new one).

Couple solutions I've come up with: (1) just fudge the value in my software by 30 seconds, but then I'm relying on the fact that my machine has a synced time with the tree. (2) Sleep in my software for 30 seconds and then read the value out, but I hate to add extra delay, especially since it may be perceptable to the user. (3) Loop over a search until I get the updated timestamp. (4) Force the administrator to point my software at a single LDAP server holding a read-write replica, but then I lose redundancy.

I just wish OpenLDAP had an equivalent to the Counter syntax. Any developers out there have a good solution to this? Or should I just hack in one of 1-4 above? I want to write robust software, but I'm torn on what to do.

Apache, LDAP, ActiveDirectory

yerfatma — Mon, 01 Nov 2004 15:13:25 -0800

Apache, LDAP, ActiveDirectory and You: I have an application running on Apache. I would like to restrict access to the folder(s) it runs in by authenticating users against our Windows ActiveDirectory server, but I'm having trouble crafting the right URL. I have mod_auth_ldap up and running and I'm blocking access to a given folder with a block in my httpd2.conf file. I'm providing a AuthLDAPBindDN and password combo in that block and providing a URL to the AD/LDAP server. It looks something like this:

AuthLDAPURL ldap://location.company.com:389/

and I've tried any number of things after that. I don't really understand how to form the rest of the URL to tell it "search this AD server for the name the user provides inside the Users subtree." I've tried using a Windows utility called "ldp.exe" to form queries, but it's less than helpful. It provides some feedback, but doesn't let you build actual URLs, forcing you to use its form inputs. I tried connecting with Thunderbird's address book as it provides a bit more of a "raw" interface, but I couldn't even connect with that.

Multiple contact lists are driving me crazy!

smackfu — Wed, 15 Sep 2004 08:58:21 -0800

If you use IMAP to access your mail from multiple computers, how do you deal with the different contact lists? I have out-of-sync lists everywhere and it's driving me crazy.