From: Smith, Chris (chris@mail.smu.edu)
Date: Fri Apr 04 2003 - 16:02:47 CST
Um, for what it's worth, keep in mind you can authenticate against AD
accounts by deploying IAS (Microsoft Radius). The Perl code for Netreg
was a breeze, Radius offers superior control and logging, and it doesn't
authenticate passwords in the clear, like LDAP does (ordinarily). It
also means your security architecture doesn't require access directly
from Netreg boxes, which are often in risky locations at the network
edge, to Domain Controllers, which are usually deep in the network core.
Radius auth for AD accounts is in production campus-wide at SMU for
Netreg/Resnet, Netreg/Wireless, PPP, and VPN.
By the way, managing 10,000 accounts' Microsoft Dial-In rights is loads
of fun (and not MY job)!
-- J. Christian Smith - Information Security Manager Information Technology Services, Southern Methodist University, Dallas PGP fingerprint: B6A7 7B14 653F C98C 4355 2436 4850 9A1D FCA8 DAD4> -----Original Message----- > From: Peter Valian [mailto:valianp@southwestern.edu] > Sent: Friday, April 04, 2003 3:22 PM > To: netreg@southwestern.edu > Subject: Re: NetReg: NetReg and Active Directory > > > My thinking was Active Directory LDAP isn't exactly RFC > Standard "LDAP". > Im neither an Active Directory nor LDAP expert so I may be totally > off...we're recently trying to do LDAP syncing with an Active > Directory > (Sun is coming out with a version of their SunOne Directory > Server which > has this ability). We're a unix shop and the thought of > having a W2K AD > box be our authoritative source of account info makes me nervous...I > cannot reboot such an important machine everytime I need to > apply a patch! > > for all those doing LDAP authentication (for mail and such) could you > please drop me a note...we're planning for such a system in > summer and > Im going to need as much advice as possible. > > thanks, > -p > > Patrick Jaques wrote: > > Hi Peter, > > > > Couldn't the LDAP contrib code be used validate users in a Windows > > 2000 AD environment? If it can, then I should be able to > add the ldap > > specific code to my current version of NetReg 1.3rc2 w/CIDR update > > (variables.pl and register.cgi). I believe Microsoft LDAP > is a little > > different that standard LDAP. Microsoft used "DC=" for the domain, > > instead of "O=" > > > > Example; ou=sales,dc=mydomain,dc=com (Microsoft ldap) > > ou=sales,o=mydomain.com (Standard LDAP) > > > > DC - domain component > > O - organization > > OU - organization unit > > > > -- Patrick > > > > -----Original Message----- > > From: owner-netreg@southwestern.edu > > [mailto:owner-netreg@southwestern.edu] > > On Behalf Of Peter Valian > > Sent: Friday, April 04, 2003 12:31 PM > > To: netreg@southwestern.edu > > Subject: Re: NetReg: NetReg and Active Directory > > > > > > to clarify, you are trying to use your W2K Active Directory > to do the > > authentication for NetReg (on Linux)? > > > > You would need (ideally) a Perl module that can talk with active > > directory and some Perl knowledge. > > > > I found a few articles along these lines: > > > > http://isg.ee.ethz.ch/tools/realmen/det/adsi.en.html > > http://www.perl.com/pub/a/2001/12/19/xmlrpc.html > > http://www.securityfocus.com/infocus/1563 > > > > -peter > > > > Lavengood, Michael wrote: > > > >>We are currently in the process of testing NetReg. We are > currently > >>running W2k DHCP, DNS and Active Directory. We have tried > to get the > >>ldap to connect to it with no luck. Has anyone else been able to > >>connect to there AD Server with NetReg? > >> > >>Thanks in advance, > >> > >>Mike > >> > >> > >>Michael Lavengood > >>Network Security Administrator > >> > >>_Franklin College_ <http://www.franklincollege.edu/> Information > >>Technology Services 501 East Monroe Street > >>Franklin, Indiana 46131_ > >> > >>mlavengood@franklincollege.edu_ > >><mailto:mlavengood@franklincollege.edu> > >>Phone: 317.738.8148 > >>Fax: 317.738.8146 > >> > >> > > > > > > -- > Peter Valian > Network & Systems Administrator > Southwestern University > Georgetown, Texas > 512.863.1586 office > 512.863.1605 fax > -- > > ********************************************************************** > To unsubscribe from this list, send an e-mail message to > majordomo@southwestern.edu containing a single line with the > words: unsubscribe netreg Send requests for assistance to: > owner-netreg@southwestern.edu > ********************************************************************** > ********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:39 CDT