Fast, Easy, Cheap: Pick One

Just some other blog about computers and programming

Authenticating Windows Against Open Directory

First of all, apologies to everyone for the long time between posts, I’ve been suffering from a slight shortage of inspiration lately.

However, today I figured out something quite cool. It is possible to authenticate Windows (2000, XP, and possibly Vista) machines against Apple’s Open Directory. This is great if you have an Open Directory server as your user account central store.

The software that enables this is called pGina.

To get stared, simply download and install pGina. Then download the additional plugins. The one we’re interested in installing is the ldapauth plugin. Install the plugin somewhere in to your pGina installation. eg: c:\pGina\plugins

Now launch the configuration utility for pGina, and in the “Plugin” tab browse to the ldapauth_plus.dll plugin in c:\pGina\plugins\ldapauth\. Click the “Configure” button. Ensure the “LDAP Method” is set to “Search Mode”. In the “LDAP Server” field enter the DNS name or IP of your Open Directory server. Leave the port at the default 389. You can leave the rest of the fields blank. Then in contexts add cn=Users,dc=company,dc=com where the last two segments are your base DN. This will depend on your site’s configuration. If you’re unsure, I recommend using a tool like Apache Directory Studio to examine your LDAP server. Finally you should go to the “Password Configuration” tab and check the “Disable Change Password” box. If a user changes their password only on their LDAP server, it may mess up other things on the system such as their kerberos and keychain passwords.

Unfortunately, I don’t think it’s possible to use the groups features in the “User Configuration” tab of this plugin as I can’t find a way to make it look up group membership in the cn=Groups container. Perhaps I’ll try hacking this on some day if we ever need to use it here.

Now that you have configured the plugin, you can configure the rest of pGina as you see fit.

The one caveat to using pGina is that if you’re using it for the purpose of sharing files out over CIFS/SMB or remote desktop, the users will need to log in to the machine locally first, unless the share is readable by “Everyone”. This is because pGina only handles the authentication portion of things at the login window or when connecting remotely. When you are setting permissions on a share, Windows will not be able to look up the users from LDAP, so they will only be available if their account exists on the machine from a previous login.

I hope this has been of use. If you have any further tips then please share them in the comments section.