Authentication by LDAP not AD - Anyone else doing the same????

pblake
Contributor III

Does anyone use LDAP for authentication? We use LDAP for computer authentication here with a complicated logon hook to check affiliations for access. Anyone do anything similar? I am looking for advice and and any help in how it should be done.

4 REPLIES 4

chuck3000
Contributor

What problems are you having?

LDAP and AD are the same thing really - well, a subset of the other

below is copied from Stackoverflow.com

*Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.*

grahamfw
New Contributor III

Computer authentication or user authentication? Those are two different things.

pblake
Contributor III

We are actually doing both. User authentication. Then the computer is checked against another list to see if the user has access to that computer.

sbrosnihan
New Contributor III

We are using an LDAP connection on the JSS to authenticate users in self service and to authenticate techs and administrators to the JSS. We have recently been able to leverage an LDAP group on an OpenLDAP directory to place limitations on the scope of a policy. In our case, to verify that a user has paid their tech fee. We do not bind client computers to LDAP. The JSS handles all the queries. Computers are associated with LDAP users via the quickadd package that users are given during URL based enrollment. Don't add LDAP groups to the JSS User Accounts unless you want the users in that group to be able to access the JSS web interface. Rather, use scope exceptions and limitations to leverage LDAP groups. If you are binding at login, Casper can set up the login hook, but will override any pre-existing login hooks. If you want to retain control of login hooks you can create one using the JSS and then copy-paste the bits into your own scripts and deploy them with policy. Even when not managing login hooks with casper, the login trigger can be used to leverage LDAP in policies, as can Self service.

We have also made an extension attribute that looks for a member-of attribute in LDAP user records. It uses the "LDAP Attribute Mapping" input type. Mileage on this may vary as it appears that the JSS is grabbing the first attribute in the user record and comparing it against the string you provide and ignores all others, so if you have more than one attribute assigned to a user and you want to verify that the second one listed exists, you are out of luck. Our schema is pretty simple, and so this usually works for displaying group membership status in inventory searches.