ldap gina

Andrew Bartlett abartlet at pcug.org.au
Wed Mar 6 23:04:05 GMT 2002

Osama Dengler wrote:
> Hello David,
> the project consists of two parts: 1.) a GINA that handles all user
> input and 2.) LdapLsaAp, a windows NT authentication package
> that authenticates the user against a LDAP directory and creates
> a primary security token. I'm working on this authentication package
> at the moment. First I thought about retrieving the user's information
> from the LDAP which worked fine but had the disadvantage that all
> other WinNT subsystems retrieve their information from the SAM.
> This could lead to confusing situations (e.g. granting access to a
> file for a particular user but that user account doesn't exist in the
> LDAP dir). Therefore I'm rewriting the authentication package to also
> gather all information - except the user's password - from the SAM.
> In the meantime I'm tending back towards the first solution for
> various reasons (mainly because it's a pain to get all information
> required for a primary token without all the undocumented SAM
> calls). The best setup might be a samba server as PDC using
> LDAP for the SAM information together with LdapLsaAp accessing
> the same SAM data.

I really don't see what this gains you (apart from a *lot* of work) over
just running Samba as a PDC on an LDAP backend.   That way you don't
need to worry about undocumented SAMR interfaces, as samba already
handles all that.  

You are going to need NT and LM hashes in your LDAP directory the moment
you want to do a file-share connect anyway (not needing these being the
main reason I can see for doing this).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list