Directory services for Linux

Directory services are a standard feature of any medium to large corporate network. If you’re unfamiliar with the concept of a directory, think of it like an address book for networks. Information on people (e.g., name, e-mail address) and systems (e.g., file shares, printers) is stored within the directory for access by applications. The role of a directory service is to make administering and navigating a large network much more manageable. Network-wide functions such as authentication, user databases and centralised file repositories can all be provided using a directory service.

Linux already has a strong reputation as an excellent file and Web server operating system. In this column, we take a look at some of the tools for providing directory services for a network on a Linux server.

OpenLDAP

The Lightweight Directory Access Protocol is a standard method for accessing directory services across applications and platforms. The protocol is very simple and operates on top of TCP/IP. Most modern communication applications which can take advantage of directory access include support for LDAP. Examples of these include e-mail clients such as Microsoft Outlook and Ximian Evolution.

OpenLDAP (www.openldap.org) is an open source implementation of LDAP v2 and v3 for Linux/UNIX. Included with OpenLDAP is a stand-alone server (slapd), a replication server (slurpd), and numerous utilities for interfacing with a LDAP server under Linux.

The information stored in an OpenLDAP database can be customised to your needs. You may just want to deploy an LDAP service to keep contact details for each member of staff in your company, or you may have a more exotic function in mind.

The OpenLDAP Administrators Guide (www.openldap.org/doc/admin21) provides a helpful and detailed introduction to installing and configuring OpenLDAP.

Samba 3.0 and Active Directory

Samba (www.samba.org), best known as a utility providing Windows file and printer sharing under Linux/UNIX, is also capable of providing some Windows directory services. Version 2.2 of Samba can act as a Windows NT Primary Domain Controller (PDC) to provide authentication services to Windows clients.

With the introduction of Windows 2000, Microsoft replaced Windows NT Domains with a more advanced directory system, Active Directory. Active Directory employs a hierarchical structure instead of the flat structure of Windows NT Domains. Security for the authentication services of Active Directory is provided by the Kerberos protocol. Active Directory also introduces support for lookups from LDAP-enabled applications.

Samba 3.0 (in beta at the time of writing) introduces support for authenticating against Active Directory servers and providing Active Directory server functions under Linux/UNIX. The introduction of Active Directory services within Samba has been a long time coming and will please system administrators currently maintaining both Active Directory and Windows NT Domains in a single environment. The combination of these two systems can cause administration headaches, and the migration to a single platform will solve many problems.

Enabling Active Directory support with Samba 3.0 requires the MIT Kerberos tools (http://web.mit.edu/kerberos/www/) for authentication and OpenLDAP to communicate with Active Directory servers/clients using LDAP. Enabling Active Directory support is a simple compile time configuration option and requires an entry in the smb.conf configuration file similar to the following:

realm = EXAMPLE.COM
ads server = 192.168.1.100
security = ADS
encrypt passwords = yesKerberos must be configured to authenticate with Active Directory. Update krb5.conf to include the following:

[realms]
EXAMPLE.COM = {
kdc = 192.168.1.100
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

To authenticate with an Active Directory server, type the following in a shell:

$ /usr/kerberos/bin/kinit user@EXAMPLE.COM

If authentication is successful, you will be prompted for a password and then returned to a shell prompt. If the user you connected as has Administrator privileges on the Active Directory server, you can add your Linux server to the Active Directory by typing:

$ /usr/local/samba/bin/net ads join

To navigate the Active Directory, use the ‘smbclient’ command followed by a Windows share name. As you are authenticated in the Active Directory now, you should be able to view the share without a password.

Other directory services

IBM has recently released version 5.1 of IBM Directory Server (www-3.ibm.com/software/tivoli/products/directory-server/) product for Linux.

IBM Directory Server is based on the DB2 database server and implements LDAP v3 services with advanced features such as replication and Kerberos authentication. IBM Directory Server can be downloaded free of charge from www14.software.ibm.com/webapp/download/search.jsp?rs=ldap&go=y.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Alastair Cousins

LinuxWorld
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?