Section 8.5. Configuring Windows to Use LDAPfor Login Authentication

8.5. Configuring Windows to Use LDAPfor Login Authentication

All this talk of using LDAP for Linux authentication is well and good, but this book is about integrating Linux and Windows on a network. How, then, does LDAP help you with Windows clients? The answer is that Windowsor at least, Windows NT/200x/XPuses an authentication system known as Graphical Identification and Authentication (GINA). Supplements to the Microsoft-supplied GINA are available, and you can use one of these to have Windows authenticate against your LDAP server.

One of the most flexible GINA supplements is known as pGina (, which is a modular open source GINA tool. You can find pGina modules that support LDAP, MySQL, NIS, SecurID, and many more authentication systems. The following pages are devoted to pGina's LDAP functionality. Unfortunately, pGina is limited to working with Windows 200x/XP; it doesn't work with Windows 9x/Me. (In theory, pGina should work with Windows NT, but its LDAP module requires features that were added with Windows 2000.) Using pGina requires installing it and configuring it to use your LDAP server.

8.5.1. Obtaining and Installing pGina

You can obtain pGina from its web site. You'll need to download both the main pGina package (available from and the LDAP plugin module (available from Both packages come in the form of installer applications. This chapter uses pGina 1.7.6 and the LDAPAuth 1.4-beta plugin as references; some details may differ if you use another version of the package.

To work with Windows XP SP2, pGina Version or later is required for best functionality.

Once you've downloaded the two installer programs, you should run them both as the Windows Administrator. These are typical Windows program installers; they ask you to accept a license agreement (the GPL), where to install the program, and so on, then drop the files in the appropriate locations. The main pGina installer then runs the pGina configuration utility, but if you install it first, you'll have to run the LDAP plugin installer before you can configure pGina to use LDAP.

As with configuring PAM in Linux, installing and configuring pGina incorrectly can produce a system you can't access. You should prepare an emergency recovery disk and be prepared to use it with the Windows Safe Mode should problems occur. Completely backing up the Windows boot partition may be wise, as well. If you're preparing to install pGina on an entire network, try installing it first on a test system that holds no important data.

8.5.2. Registering Your Certificate

If you're using strong encryption, as is wise on most networks, you must register your SSL certificate with Windows. This step is necessary because Windows is fussier about certificates than are the Linux PAM and NSS LDAP modules; if Windows can't verify your certificate, you won't be able to establish an encrypted SSL connection with the LDAP server.

To do the deed, you should begin by making the LDAP certificate file (slapd-cert.crt), which you created earlier. You can place it on a file share, move it around on a floppy, or whatever's convenient. (This file is not sensitive from a security point of view, so you needn't take any precautions to prevent it from being seen by others.) Once the file is available in Windows, follow these steps:

  1. Double-click the certificate file. This action should bring up the Certificate dialog box shown in Figure 8-5. If it doesn't, check the filename; it should end in a .crt extension. If it doesn't, correct the matter, and try again.

    Figure 8-5. Windows provides a tool for registering certificates you generate

  2. Click Install Certificate. This action yields a certificate installation wizard.

  3. Click Next in the wizard. The result resembles Figure 8-6, except that this figure shows some data entered as described in the next few steps.

    Figure 8-6. The certificate installation wizard lets you select how to categorize your certificate

  4. Click Place all certificates in the following store.

  5. Click Browse. The wizard displays a dialog box called Select Certificate Store.

  6. In the Select Certificate Store dialog box, check the Show Physical Stores checkbox.

  7. In the Select Certificate Store dialog box, expand the Trusted Root Certification Authorities item.

  8. An object called Local Computer should now be visible. Highlight it and click OK in the Select Certificate Store dialog box. Your wizard should now show the same path in the Certificate Store field as is shown in Figure 8-6.

  9. Click Next. The wizard presents a summary screen.

  10. Click Finish. A message stating that the import was successful should appear.

At this point, your certificate should be installed, which should enable you to use SSL encryption with your LDAP server, provided the server is properly configured to accept this encryption.

8.5.3. Configuring pGina for LDAP Client Use

Before proceeding to actual pGina configuration, I recommend you test the LDAP module. To do so, select Start Programs pGina PluginTester from the Windows desktop. The result is a large pGina Plugin Simulation dialog box. Click the Browse button to locate the LDAP plugin, which by default is installed in a subdirectory of your main pGina installation directory. You can then click the Configure button, which brings up the pGina LDAPAuth configuration dialog box, shown in Figure 8-7.

Figure 8-7. To configure pGina's LDAP module, use a dialog box to enter many of the options you enter in Linux LDAP client configuration files

You must give pGina's LDAPAuth dialog box some basic information on your LDAP server. The most important information items are the LDAP Server, Use SSL, and Contexts items. The other items can be important in some situations, but are beyond the scope of this chapter to describe; consult the pGina documentation for details. Enter your server's IP address or hostname in the LDAP Server field. If you're using SSL encryption, you must use the name you specified in the Common Name (eg, YOUR name) item when you created your certificate, as described in Section 8.2.3. You must also check the Use SSL checkbox to enable SSL encryption. For the Contexts, you must enter a context in the field just above the Add Context button, then click that button. Your entry will then be moved to the larger field to the right of the button. Typically, the context you enter will be your root DN, as shown in Figure 8-7.

After entering this information, click OK. The system says it's saved the settings. You can then type a username and password into the large pGina Plugin Simulation dialog box, and click Login. (Note that your password will echo when you type it, and it will also appear in the dialog box once it's been authenticated.) If all goes well, the program reports "plugin reported success", along with information on the account in the main dialog box. If the tool instead reports a failure, you should click Configure to go back to the configuration dialog box and make changes. Because of pGina's insistence on verifying the server's certificate, this can be a problem area. You may want to temporarily disable SSL encryption (on both the client and the server) to simplify matters while you troubleshoot. Once you can authenticate users, click Exit.

To fully configure pGina, select Start Programs pGina Configuration Tool. (The installer launches this program automatically by default, so it may already be running.) The result is the main pGina configuration dialog box, shown in Figure 8-8. Basic configuration at this point is fairly simple: click Browse to locate the LDAP plugin. If you haven't tested the plugin, though, you'll also need to click Configure to configure it. Testing your configuration can be tricky unless you use the plugin tester program, as just described.

Figure 8-8. The main pGina configuration dialog box

In addition to the basic configuration, you may want to adjust some of the more advanced features of pGina:

  • You can tell pGina to map network drives by entering a mapping in the Drive Maps field. For instance, entering M:\\MANDRAGORA\SHARED maps the SHARED share on the MANDRAGORA server to the local M: drive letter. (This requires that the SMB/CIFS server use the same password that's stored by the LDAP server.)

  • You can force all users to belong to a specified set of groups by entering those groups in the Groups field. Separate groups with semicolons (;), as in Users;Staff to make all users members of both the Users and Staff groups.

  • You can set features of the logon display, such as the graphic shown and any login messages, by using the Logon Window tab.

  • By default, pGina keeps users' profiles between logons, meaning that users can customize their desktops and keep these settings. If you want users to see a standard desktop at each logon, you can uncheck the Keep Profiles item on the Account Information tab. The Force Login checkbox on this tab tells pGina to store the authenticated password locally, which should enable local logins even if the LDAP server goes down, provided the user has authenticated before. (This option might be handy on laptop computers.)

  • The Domain Interaction tab presents options that enable pGina to perform domain authentication, as well as LDAP authentication. If your network hosts both an LDAP server and an NT Domain controller, each with its own set of accounts, this option enables a client to authenticate against either server.

Once you've configured pGina, you need to reboot the computer for the changes to take effect. Once you do, you'll be greeted by a new pGina login prompt, as shown in Figure 8-9. You should be able to log on using any of the accounts defined on your LDAP server, as well as any accounts that are defined locally on the Windows system. When you log on using an LDAP account, pGina automatically generates a matching local account. The user thereafter appears in the local user database unless you manually delete the accounts or uncheck the Keep Profiles checkbox, as just described.

Figure 8-9. Once pGina is working, it presents its own logon screen rather than the default Windows logon screen

    Linux in a Windows World
    Linux in a Windows World
    ISBN: 0596007582
    EAN: 2147483647
    Year: 2005
    Pages: 152

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: