[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_gina, ldap_gina

To: "'openldap-general@OpenLDAP.org'" <openldap-general@OpenLDAP.org>
Subject: pam_gina, ldap_gina
From: "Trotta, Johathan R." <trottajr@pweh.com>
Date: Wed, 13 Dec 2000 12:13:30 -0500

I apologize in advance for my humble amount of knowledge on this subject but
if any one can clear up a few questions for me I would appreciate.

Also thank to the many that have already replied.

objective: use central ldap to authenticate unix and nt users

problem:  NT OF COURSE!

solution: modify MSGINA to authenticate NT users against ldap instead of via
the MSGINA, LSA, and SAM

questions:
1.  Has anyone written some code that will do this?  :  )
2.  Do you need to write a modified version of the MSGINA for each MS OS
(windows 3.1, 95, NT, and 2k)?
3.  With this type of approach does the ldap_GINA authenticate against the
person objectclass (DN & userpassword) in the ldap directory and then pass
the NT user data back to a function in the ldap_gina library that funnels
these credentials to the LSA to persuade the LSA to generate a SAT?????


Curve Ball !

I am starting to wonder if KERBEROS is a better solution to implement.  But
this raises new questions.  (by the way my understanding of kerberos is
definitely lacking)

1.  Can NT credentials be stored in kerberos? 
2.  If NT credentials can not be stored in kerberos can the GINA still be
modified so that NT native authentication can be circumvented.
3.  By using kerberos have I lost all the flexibility that a central ldap
directory can provide?

J.Trotta
Pratt & Whitney

Prev by Date: Re: secret attributes and connection between objectclasses
Next by Date: Re: pam_gina, ldap_gina
Index(es):
- Chronological
- Thread