[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_gina, ldap_gina

To: "'openldap-general@OpenLDAP.org'" <openldap-general@OpenLDAP.org>
Subject: Re: pam_gina, ldap_gina
From: "John McGarvey" <mcgarvey@us.ibm.com>
Date: Wed, 13 Dec 2000 15:26:04 -0500
Importance: Normal

Johathan,

The GINA interface is only in NT and Win2K.  It is not in Win 3.1, Win 95,
or Win98.  It is only possible to install one GINA module on a given client
at a time, meaning that if you have another GINA present, e.g. the one that
comes with Netware, only one of the two can be active.

An alternative to GINA is to build something called a Network Provider, as
described in the MSDN documentation for Win95/98.  The Network Provider
interface is supported on 95, 98, ME, NT, and Win2K, but not Win 3.1.

As for Kerberos, if you get Win2K, it has built in Kerberos.  Microsoft
provides Kerberos clients for Win95, Win98, and ME, but not for NT.  You
can get other Kerberos clients for NT, but I don't know if they
interoperate with Win2K.

You probably should take this up with Microsoft.  It's not an LDAP issue,
and I think the only folks who can advise you are in Redmond.

Regards,
John McGarvey
IBM
(any opinions expressed are not necessarily those of my employer)

"Trotta, Johathan R." <trottajr@pweh.com>@OpenLDAP.org on 2000/12/13
12:13:30 PM

Sent by:  owner-openldap-general@OpenLDAP.org


To:   "'openldap-general@OpenLDAP.org'" <openldap-general@OpenLDAP.org>
cc:
Subject:  pam_gina, ldap_gina



I apologize in advance for my humble amount of knowledge on this subject
but
if any one can clear up a few questions for me I would appreciate.

Also thank to the many that have already replied.

objective: use central ldap to authenticate unix and nt users

problem:  NT OF COURSE!

solution: modify MSGINA to authenticate NT users against ldap instead of
via
the MSGINA, LSA, and SAM

questions:
1.  Has anyone written some code that will do this?  :  )
2.  Do you need to write a modified version of the MSGINA for each MS OS
(windows 3.1, 95, NT, and 2k)?
3.  With this type of approach does the ldap_GINA authenticate against the
person objectclass (DN & userpassword) in the ldap directory and then pass
the NT user data back to a function in the ldap_gina library that funnels
these credentials to the LSA to persuade the LSA to generate a SAT?????


Curve Ball !

I am starting to wonder if KERBEROS is a better solution to implement.  But
this raises new questions.  (by the way my understanding of kerberos is
definitely lacking)

1.  Can NT credentials be stored in kerberos?
2.  If NT credentials can not be stored in kerberos can the GINA still be
modified so that NT native authentication can be circumvented.
3.  By using kerberos have I lost all the flexibility that a central ldap
directory can provide?

J.Trotta
Pratt & Whitney

Follow-Ups:
- LDAP Server for Client Testing?
  - From: "Arnold Shore" <ashore@dgs.dgsys.com>

Prev by Date: pam_gina, ldap_gina
Next by Date: Is the archive search functioning <EOM> ?
Index(es):
- Chronological
- Thread