Hi!

Some service (software) companies have been telling us 'not to use
ldap for user authentication' instead they recommend us to use
Microsoft Active Directory, this because, they say, LDAP is
problematic, talking about domain, and hard to use - for example is
very complicated to change a password in LDAP, versus the Graphical
interface of Active Directory.

We think, Active Directory can be a open door for our system, so we
really want to use LDAP, because all our servers are going to be in
Debian...

So we want to know your experience with LDAP.

Thank U !!!

--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com
http://slcarabobo.wordpress.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: f64e839b1002220642m70e423eci5f5808f64d30d55d@mail. gmail.com">http://lists.debian.org/f64e839b1002220642m70e423eci5f5808f64d30d55d@mail. gmail.com

Germana Oliveira wrote:

Hi!

Some service (software) companies have been telling us 'not to use
ldap for user authentication' instead they recommend us to use
Microsoft Active Directory, this because, they say, LDAP is
problematic, talking about domain, and hard to use - for example is
very complicated to change a password in LDAP, versus the Graphical
interface of Active Directory.

We think, Active Directory can be a open door for our system, so we
really want to use LDAP, because all our servers are going to be in
Debian...

So we want to know your experience with LDAP.



Ask Microsoft. Active Directory *is* LDAP. These people are pulling your
<appendage of choice>, as they will know perfectly well what Active
Directory is.


It's not hard to make any kind of graphical interface you want for LDAP.
I have an LDAP email directory at home, and I've thrown together a few
extremely simple PHP pages to manipulate it. If I need to do something I
didn't bother to put into my pages, I use a graphical LDAP editor.


It's not hard to query Active Directory, if you have an account with
suitable permissions. DSQUERY is the Windows command-line (yes, it does
have one) LDAP query tool. ADSIedit is a GUI LDAP query tool.


http://technet.microsoft.com/en-us/library/cc732952%28WS.10%29.aspx
http://support.microsoft.com/kb/312299

Windows users expect to use a single account to access everything, so if
you work closely with a Microsoft domain, it would probably be a good
idea to use the AD account database, either directly or by replicating
it to a local OpenLDAP server.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4B82D79B.7010806@jretrading.com">http://lists.debian.org/4B82D79B.7010806@jretrading.com

We are really convince that OpenLDAP is way better choice than Active Directory, most if we* already decide that Debian is going to be our Servers OS...

i have been googling about openLdap problems and found nothing very difficult or weird, most of then are user problems: bad configurations, etc.


but really hopping you can tell me more about your experience, personal and with professional (implementations in: industries, commercial, corporations, organizations)

Thanks Joe for the quick replay!



2010/2/22 Joe <joe@jretrading.com>

Germana Oliveira wrote:


Hi!



Some service (software) companies have been telling us 'not to use

ldap for user authentication' instead they recommend us to use

Microsoft Active Directory, this because, they say, LDAP is

problematic, talking about domain, *and hard to use - for example is

very complicated to change a password in LDAP, versus the Graphical

interface of Active Directory.



We think, Active Directory can be a open door for our system, so we

really want to use LDAP, because all our servers are going to be in

Debian...



So we want to know your experience with LDAP.






Ask Microsoft. Active Directory *is* LDAP. These people are pulling your <appendage of choice>, as they will know perfectly well what Active Directory is.



It's not hard to make any kind of graphical interface you want for LDAP. I have an LDAP email directory at home, and I've thrown together a few extremely simple PHP pages to manipulate it. If I need to do something I didn't bother to put into my pages, I use a graphical LDAP editor.




It's not hard to query Active Directory, if you have an account with suitable permissions. DSQUERY is the Windows command-line (yes, it does have one) LDAP query tool. ADSIedit is a GUI LDAP query tool.



http://technet.microsoft.com/en-us/library/cc732952%28WS.10%29.aspx

http://support.microsoft.com/kb/312299



Windows users expect to use a single account to access everything, so if you work closely with a Microsoft domain, it would probably be a good idea to use the AD account database, either directly or by replicating it to a local OpenLDAP server.


--

Joe





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Archive: http://lists.debian.org/4B82D79B.7010806@jretrading.com





--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com
http://slcarabobo.wordpress.com

i just forgot something.

AD manage the (user) permissions and groups stuff: Like - this user can access to this printer or that user can not use pen drive - and i haven`t found yet something like that in free Software, or something similar in LDAP or with LDAP (openLdap)


Someone have some idea

2010/2/22 Germana Oliveira <germanaoliveirab@gmail.com>

We are really convince that OpenLDAP is way better choice than Active Directory, most if we* already decide that Debian is going to be our Servers OS...

i have been googling about openLdap problems and found nothing very difficult or weird, most of then are user problems: bad configurations, etc.



but really hopping you can tell me more about your experience, personal and with professional (implementations in: industries, commercial, corporations, organizations)

Thanks Joe for the quick replay!




2010/2/22 Joe <joe@jretrading.com>


Germana Oliveira wrote:


Hi!



Some service (software) companies have been telling us 'not to use

ldap for user authentication' instead they recommend us to use

Microsoft Active Directory, this because, they say, LDAP is

problematic, talking about domain, *and hard to use - for example is

very complicated to change a password in LDAP, versus the Graphical

interface of Active Directory.



We think, Active Directory can be a open door for our system, so we

really want to use LDAP, because all our servers are going to be in

Debian...



So we want to know your experience with LDAP.






Ask Microsoft. Active Directory *is* LDAP. These people are pulling your <appendage of choice>, as they will know perfectly well what Active Directory is.



It's not hard to make any kind of graphical interface you want for LDAP. I have an LDAP email directory at home, and I've thrown together a few extremely simple PHP pages to manipulate it. If I need to do something I didn't bother to put into my pages, I use a graphical LDAP editor.





It's not hard to query Active Directory, if you have an account with suitable permissions. DSQUERY is the Windows command-line (yes, it does have one) LDAP query tool. ADSIedit is a GUI LDAP query tool.



http://technet.microsoft.com/en-us/library/cc732952%28WS.10%29.aspx

http://support.microsoft.com/kb/312299



Windows users expect to use a single account to access everything, so if you work closely with a Microsoft domain, it would probably be a good idea to use the AD account database, either directly or by replicating it to a local OpenLDAP server.



--

Joe





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Archive: http://lists.debian.org/4B82D79B.7010806@jretrading.com





--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com

http://slcarabobo.wordpress.com





--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com
http://slcarabobo.wordpress.com

On Mon, Feb 22, 2010 at 05:31:57PM -0400, Germana Oliveira wrote:
> i just forgot something.
>
> AD manage the (user) permissions and groups stuff: Like - this user can
> access to this printer or that user can not use pen drive - and i haven`t
> found yet something like that in free Software, or something similar in LDAP
> or with LDAP (openLdap)

You are mixing things up. ADS/LDap is a directory service, what you do
with that information is up to you.

ADS has a nice gui interface to place users in to groups.

The filesystem and security engine of windows determines access/rights.



>
> Someone have some idea
>
> 2010/2/22 Germana Oliveira <germanaoliveirab@gmail.com>
>
> > We are really convince that OpenLDAP is way better choice than Active
> > Directory, most if we already decide that Debian is going to be our Servers
> > OS...
> >
> > i have been googling about openLdap problems and found nothing very
> > difficult or weird, most of then are user problems: bad configurations, etc.
> >
> > but really hopping you can tell me more about your experience, personal and
> > with professional (implementations in: industries, commercial, corporations,
> > organizations)
> >

So, you're telling me that ADS/LDAP do the same thing you can do just with LDAP (without the interface) .. i mean, a directory service. Groups, rights and security is manage by the OS itself ¿?.

What Active Directory does is to give you the facility to manage all those things together?

But with Debian for example, and without AD, you can do it separately ¿? am i close?

Well i have to read a LOT.

Thanks!

2010/2/22 Alex Samad <alex@samad.com.au>

On Mon, Feb 22, 2010 at 05:31:57PM -0400, Germana Oliveira wrote:

> i just forgot something.

>

> AD manage the (user) permissions and groups stuff: Like - this user can

> access to this printer or that user can not use pen drive - and i haven`t

> found yet something like that in free Software, or something similar in LDAP

> or with LDAP (openLdap)



You are mixing things up. Â*ADS/LDap is a directory service, what you do

with that information is up to you.



ADS has a nice gui interface to place users in to groups.



The filesystem and security engine of windows determines access/rights.







>

> Someone have some idea

>

> 2010/2/22 Germana Oliveira <germanaoliveirab@gmail.com>

>

> > We are really convince that OpenLDAP is way better choice than Active

> > Directory, most if we Â*already decide that Debian is going to be our Servers

> > OS...

> >

> > i have been googling about openLdap problems and found nothing very

> > difficult or weird, most of then are user problems: bad configurations, etc.

> >

> > but really hopping you can tell me more about your experience, personal and

> > with professional (implementations in: industries, commercial, corporations,

> > organizations)

> >


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (GNU/Linux)



iEYEARECAAYFAkuDTQwACgkQkZz88chpJ2P8XQCg0㳣牞� ��⹧麫�

TIsAn1uE3rRqKUurCV02/HfMLR1ZvtT3

=NlQ9

-----END PGP SIGNATURE-----




--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com
http://slcarabobo.wordpress.com

Please don't top post

Germana Oliveira schreef:
So, you're telling me that ADS/LDAP do the same thing you can do just
with LDAP (without the interface) .. i mean, a directory service.
Groups, rights and security is manage by the OS itself ¿?.


What Active Directory does is to give you the facility to manage all
those things together?
But with Debian for example, and without AD, you can do it separately ¿?
am i close?


Well i have to read a LOT.
Ldap is a certain database protocol designed for managing directory
information. AD is implemented in ldap by specifying a certain set of
properties that are queried against when the OS is determining user
data. Combining samba with ldap, there are plenty howtos for having a
ldap user authentication and domain configuration for windows clients on
a Linux server.
Printer access restricting can be dealt with from cups, files can be
protected using the normal acl in Linux. You can also make certain
devices r/w for certain groups only, thereby blocking other groups (as
is standard in already Linux: you want to use usb-sticks? You must be a
member of plugdev etc.)
However, ldap is much more. Eg. you can have a different set of
properties that allows your mail client to store its address book.
Also, AD is a bit more than ldap. First, it doesn't use ldap
authorization but kerberos, which is also available for Linux
(kerberos-heimdal) and can be made working together with ldap. There are
also some slight differences which make a Linux-samba server not a fully
compliant windows server, which supposedly should be dealt with in samba
v4 (see samba howtos for the details).
By the way, there are a many nice tools for managing ldap databases. For
user management, I'd recommend the web-based ldap-account-manager.
And finally: don't believe in the bullsh*t that changing passwords is
difficult. When properly set-up it is as hard ass doing a 'passwd' from
any of the Unix clients/servers or using the password-change gui from
any of the windows clients. The only trickery is the 'when properly
set-up: use one of the many howtos! Keywords that I can come up with now
are "samba windows domain server howto"


Sjoerd

I have been searching for some tools (free software tools) and i have found some:

Apache Directory Server: looks good but i dont like the java stuff. "Apache Directory Server is an open source LDAP directory server implemented in java."


GOsa: looks very good and development in php, could be a good choice, i think

WBSAgnitio: (from Spain) looks good too and it's being implemting in the public administration.. it's like a complete OS with a web interface.


or maybe Fedora Directory Server, RedHat/CentOS directory... maybe a RedHat server may not be a problem to work with Debian servers ¿?



2010/2/23 Germana Oliveira <germanaoliveirab@gmail.com>

So, you're telling me that ADS/LDAP do the same thing you can do just with LDAP (without the interface) .. i mean, a directory service. Groups, rights and security is manage by the OS itself ¿?.


What Active Directory does is to give you the facility to manage all those things together?

But with Debian for example, and without AD, you can do it separately ¿? am i close?

Well i have to read a LOT.

Thanks!

2010/2/22 Alex Samad <alex@samad.com.au>


On Mon, Feb 22, 2010 at 05:31:57PM -0400, Germana Oliveira wrote:


> i just forgot something.

>

> AD manage the (user) permissions and groups stuff: Like - this user can

> access to this printer or that user can not use pen drive - and i haven`t

> found yet something like that in free Software, or something similar in LDAP

> or with LDAP (openLdap)



You are mixing things up. Â*ADS/LDap is a directory service, what you do

with that information is up to you.



ADS has a nice gui interface to place users in to groups.



The filesystem and security engine of windows determines access/rights.







>

> Someone have some idea

>

> 2010/2/22 Germana Oliveira <germanaoliveirab@gmail.com>

>

> > We are really convince that OpenLDAP is way better choice than Active

> > Directory, most if we Â*already decide that Debian is going to be our Servers

> > OS...

> >

> > i have been googling about openLdap problems and found nothing very

> > difficult or weird, most of then are user problems: bad configurations, etc.

> >

> > but really hopping you can tell me more about your experience, personal and

> > with professional (implementations in: industries, commercial, corporations,

> > organizations)

> >


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (GNU/Linux)



iEYEARECAAYFAkuDTQwACgkQkZz88chpJ2P8XQCg0㳣牞� ��⹧麫�

TIsAn1uE3rRqKUurCV02/HfMLR1ZvtT3

=NlQ9

-----END PGP SIGNATURE-----




--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com

http://slcarabobo.wordpress.com





--
Germana Oliveira

germanaoliveirab arroba gmail punto com
http://626f67.wordpress.com
http://slcarabobo.wordpress.com

Hi germana,


I have been searching for some tools (free software tools) and i have
found some:


Maybe these links will interest you also:

http://www.ldap-account-manager.org/

and

http://ldapadmin.sourceforge.net/

regards,
mj

--
www.muzieknoteren.nl


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4B844916.6050508@merit.unu.edu">http://lists.debian.org/4B844916.6050508@merit.unu.edu

On Mon, Feb 22, 2010 at 10:42:31AM -0400, Germana Oliveira wrote:
> Hi!
>
> Some service (software) companies have been telling us 'not to use
> ldap for user authentication' instead they recommend us to use
> Microsoft Active Directory, this because, they say, LDAP is
> problematic, talking about domain, and hard to use - for example is
> very complicated to change a password in LDAP, versus the Graphical
> interface of Active Directory.
>
Probably because they sell MS Active Directory, and don't sell LDAP on
Linux...

> We think, Active Directory can be a open door for our system, so we
> really want to use LDAP, because all our servers are going to be in
> Debian...
>
> So we want to know your experience with LDAP.
>
At a previous job I set up Samba/LDAP as a domain controller (as a test
only, it was not used in production). It worked. Windows clients could
change their passwords using the default Windows tools.

There are several GUIs for this:

Webmin
phpldapadmin
ldap account manager

I'm sure there are more, but those are a few that I've tried.

There is a lot to learn if you are going to set this up yourself.
Alternatively, you could try a pre-packaged solution like SMEServer,
which will set up a domain controller for you. I tested it and it
worked, but it seemed less flexible (but very simple) than doing it by
hand.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100226022058.GI25946@aurora.owens.net">http://lists.debian.org/20100226022058.GI25946@aurora.owens.net