Hi all,

I am having a problem with LDAP that I would like some opinions on for solving.
I have ubuntu server 9.10 installed on a server that is supposed to be a backup server for a large academic group. We have a LDAP server for the entire institution for user authentication etc.
The goal is to use the institutions LDAP server for user authentication over samba, ssh, etc.
The problem:
I do not have admin access to the LDAP server and very little knowlege of how its set up.
I have set up an LDAP client successfully and can log into the backup server through ssh with LDAP credentials. I am unable to set up Samba as I do not have the admin password on the LDAP server.
I have the added issue of subgroups within my own group. Members of one subgroup should not have direct access to other subgroups data. The original LDAP server does not recognize these subgroups and I obviously do not have rights to add groups to that server.

I am by no means an expert with LDAP and am completely stuck on how to proceed. I wanted to possibly duplicate or mirror the LDAP server then add the samba authentication and extra groups to my own server. I am clueless on how to do that.

I do not have any support from the IT department of the institution, they will not support stuff they did not set up and they will not set up group backup server or samba as they would prefer us to use their backup facilities (which are nearly at extortion level prices)

I hope I have given a clear outline of my problem...it is hard since I dont 100% understand it myself

I would welcome any hints/suggestions or tips
thanks

I can understand your difficulties if the Institution level IT is not cooperating and you don't have access to some things you may need. I am at a fairly large academic institution with a similar situation. However, we do have a little better cooperation. We are using pubcookie for the cross department solution. The hangup I see is that you don't want everyone at the institution to be able to access your departmental servers. What we did is set up our own ldap server and have our own accounts with our own configuration of classes and groups, etc. We synchronize the naming of accounts with their institutional names, and we set garbage passwords. Then, when a student first wants to use one of our servers for printing or file sharing, they have to authenticate against the campus server using pubcookie. That allows them to set their password on our servers and then gain access. If there is no matching account, then there is no access. Even that requires some level of cooperation. We have to exchange server certs with the central IT, and they require the right to security audit our servers. The overall result is some semblance of single signon with autonomous control over accounts and access on our servers.

Hey,
Thanks for the reply.
you are right it is very frustrating when there is no cooperation from the institution.
In the end I did something that didnt occur to me when writing the post.
which is to use PAM with the institutions LDAP server and all our services authenticate through PAM. it is not ideal and we have some irritating scripts to manage permissions and user groups but at least it works...