Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having a problem with LDAP that I would like some opinions on for solving.
I have ubuntu server 9.10 installed on a server that is supposed to be a backup server for a large academic group. We have a LDAP server for the entire institution for user authentication etc.
The goal is to use the institutions LDAP server for user authentication over samba, ssh, etc.
The problem:
I do not have admin access to the LDAP server and very little knowlege of how its set up.
I have set up an LDAP client successfully and can log into the backup server through ssh with LDAP credentials. I am unable to set up Samba as I do not have the admin password on the LDAP server.
I have the added issue of subgroups within my own group. Members of one subgroup should not have direct access to other subgroups data. The original LDAP server does not recognize these subgroups and I obviously do not have rights to add groups to that server.
I am by no means an expert with LDAP and am completely stuck on how to proceed. I wanted to possibly duplicate or mirror the LDAP server then add the samba authentication and extra groups to my own server. I am clueless on how to do that.
I do not have any support from the IT department of the institution, they will not support stuff they did not set up and they will not set up group backup server or samba as they would prefer us to use their backup facilities (which are nearly at extortion level prices)
I hope I have given a clear outline of my problem...it is hard since I dont 100% understand it myself
I would welcome any hints/suggestions or tips
thanks
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
I can understand your difficulties if the Institution level IT is not cooperating and you don't have access to some things you may need. I am at a fairly large academic institution with a similar situation. However, we do have a little better cooperation. We are using pubcookie for the cross department solution. The hangup I see is that you don't want everyone at the institution to be able to access your departmental servers. What we did is set up our own ldap server and have our own accounts with our own configuration of classes and groups, etc. We synchronize the naming of accounts with their institutional names, and we set garbage passwords. Then, when a student first wants to use one of our servers for printing or file sharing, they have to authenticate against the campus server using pubcookie. That allows them to set their password on our servers and then gain access. If there is no matching account, then there is no access. Even that requires some level of cooperation. We have to exchange server certs with the central IT, and they require the right to security audit our servers. The overall result is some semblance of single signon with autonomous control over accounts and access on our servers.
Hey,
Thanks for the reply.
you are right it is very frustrating when there is no cooperation from the institution.
In the end I did something that didnt occur to me when writing the post.
which is to use PAM with the institutions LDAP server and all our services authenticate through PAM. it is not ideal and we have some irritating scripts to manage permissions and user groups but at least it works...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.