[Samba] Setup LDAPS or other solution for ldap
Rowland Penny
rpenny at samba.org
Thu May 11 09:18:18 UTC 2023
On 11/05/2023 09:51, matti.kaupenjohann via samba wrote:
>
>> The problem is, the OP doesn't want to join the domain with all their
>> computers. Now you and I know that, to get the best results, it is
>> better to join a domain, somehow we have to convince people of this.
>
> I am convinced but do not understand everything yet:)
>
> If I understand this correct, I join the domain with all our client
> access machines and our servers. I limit the direct authentication to
> our servers via group policies. Now I have as example a guacamole
> instance running on one of our servers. Only the domain-administrator
> and the server-auth-group has login access. For the guacamole service I
> want that my users can connect to guacamole via ldap (or in this case
> via ldaps?). For my test scenario I would use my self signed
> certificates but later in a real scenario we have access to real ones.
> So with this example it sounds like the easiest and best approach with
> kinit and not ldaps. Am I right?
>
I am no longer sure, Andrew has said previously that using kerberos
instead of ldaps is more secure because it is encrypted 'end-to-end',
but now he seems to be saying something different. He has also
previously said that ldaps doesn't work fully on Samba AD and to use
kerberos instead, but again, he now seems to be saying the opposite.
However, if Apache Guacamole can use kerberos (and it should be able
to), then it will be easier to use, but only from a domain joined
machine. On a non joined machine, it should be able to make it work, but
will require much more configuration and maintenance.
The reason that domains came about was that admins had to duplicate work
on numerous machines and then keep them in sync. With domains, you only
have one point of major maintenance.
Rowland
More information about the samba
mailing list