You should have a look at this project: http://www.pgina.org/
I've used it to authenticate users to Windows (non-AD) + eDirectory for lab machines at a college where the college had LDAP accounts for all users. This was 3 or so years ago. Think of it as PAM for Windows. The Windows auth libraries are called "GINAs." The native one is msgina.dll. Some other products insert their GINAs before this one, in a chain. For example, PCAnywhere has its own GINA, Novell client has it's own GINA, etc. I'm sure there are other examples. At each point in the chain, if the authentication succeeds, it moves on to the next link in the chain until you are finally authenticated. pGina is an Open Source GINA which has a plugin API so that you can use it to authenticate against various databases like LDAP, NIS, etc. There are some interesting ones out there (including one that authenticates you against your Slashdot account). And, of course, you can write your own. In our case, we set it up to authenticate users against the university LDAP, and if that succeeded, we had registry keys that automatically logged the user in as a generic account for that individual lab computer. I had actually written a little script to log usage to a MySQL db, but it looks like somebody has contributed a plugin to do this. On Fri, Dec 11, 2009 at 7:19 AM, Adam Tauno Williams <[email protected]> wrote: >> > > AD is solid, scalable, and well supported. There *are* some gotchas if >> > > you are looking for 100% LDAP compatibility, but for authc/authz (login, >> > > groups, etc.) nothing else performs quite as well. (I do hope that Open >> > > LDAP catches up!) >> > What is the advantage of going ldap against AD vs. using kerberos ? >> OpenLDAP/kerberos works swimmingly on Linux and Mac, and has >> cheap failover options; I've not gotten a non-AD LDAP/kerberos >> type system working to auth windows clients, so I guess the advantage >> of AD is that you can use it on windows clients as well as Linux >> clients. > > Yep, if you have Windows, and want a domain, you need AD. Windows does > not support Kerberos or LDAP [not in any real-world usable way]. > > -- > OpenGroupware developer: [email protected] > <http://whitemiceconsulting.blogspot.com/> > OpenGroupare & Cyrus IMAPd documenation @ > <http://docs.opengroupware.org/Members/whitemice/wmogag/file_view> > > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
