8.5. Configuring Windows to Use LDAPfor Login Authentication
All this talk of using LDAP for Linux authentication is well and good, but this book is about integrating Linux and Windows on a network. How, then, does LDAP help you with Windows clients? The answer is that Windowsor at least, Windows NT/200x/XPuses an authentication system known as Graphical Identification and Authentication (GINA). Supplements to the Microsoft-supplied GINA are available, and you can use one of these to have Windows authenticate against your LDAP server.
One of the most flexible GINA supplements is known as pGina (http://pgina.xpasystems.com), which is a modular open source GINA tool. You can find pGina modules that support LDAP, MySQL, NIS, SecurID, and many more authentication systems. The following pages are devoted to pGina's LDAP functionality. Unfortunately, pGina is limited to working with Windows 200x/XP; it doesn't work with Windows 9x/Me. (In theory, pGina should work with Windows NT, but its LDAP module requires features that were added with Windows 2000.) Using pGina requires installing it and configuring it to use your LDAP server.
8.5.1. Obtaining and Installing pGina
You can obtain pGina from its web site. You'll need to download both the main pGina package (available from http://pgina.xpasystems.com/files/) and the LDAP plugin module (available from http://pgina.xpasystems.com/plugins/). Both packages come in the form of installer applications. This chapter uses pGina 1.7.6 and the LDAPAuth 1.4-beta plugin as references; some details may differ if you use another version of the package.
Once you've downloaded the two installer programs, you should run them both as the Windows Administrator. These are typical Windows program installers; they ask you to accept a license agreement (the GPL), where to install the program, and so on, then drop the files in the appropriate locations. The main pGina installer then runs the pGina configuration utility, but if you install it first, you'll have to run the LDAP plugin installer before you can configure pGina to use LDAP.
8.5.2. Registering Your Certificate
If you're using strong encryption, as is wise on most networks, you must register your SSL certificate with Windows. This step is necessary because Windows is fussier about certificates than are the Linux PAM and NSS LDAP modules; if Windows can't verify your certificate, you won't be able to establish an encrypted SSL connection with the LDAP server.
To do the deed, you should begin by making the LDAP certificate file (slapd-cert.crt), which you created earlier. You can place it on a file share, move it around on a floppy, or whatever's convenient. (This file is not sensitive from a security point of view, so you needn't take any precautions to prevent it from being seen by others.) Once the file is available in Windows, follow these steps:
At this point, your certificate should be installed, which should enable you to use SSL encryption with your LDAP server, provided the server is properly configured to accept this encryption.
8.5.3. Configuring pGina for LDAP Client Use
Before proceeding to actual pGina configuration, I recommend you test the LDAP module. To do so, select Start Programs pGina PluginTester from the Windows desktop. The result is a large pGina Plugin Simulation dialog box. Click the Browse button to locate the LDAP plugin, which by default is installed in a subdirectory of your main pGina installation directory. You can then click the Configure button, which brings up the pGina LDAPAuth configuration dialog box, shown in Figure 8-7.
Figure 8-7. To configure pGina's LDAP module, use a dialog box to enter many of the options you enter in Linux LDAP client configuration files
You must give pGina's LDAPAuth dialog box some basic information on your LDAP server. The most important information items are the LDAP Server, Use SSL, and Contexts items. The other items can be important in some situations, but are beyond the scope of this chapter to describe; consult the pGina documentation for details. Enter your server's IP address or hostname in the LDAP Server field. If you're using SSL encryption, you must use the name you specified in the Common Name (eg, YOUR name) item when you created your certificate, as described in Section 8.2.3. You must also check the Use SSL checkbox to enable SSL encryption. For the Contexts, you must enter a context in the field just above the Add Context button, then click that button. Your entry will then be moved to the larger field to the right of the button. Typically, the context you enter will be your root DN, as shown in Figure 8-7.
After entering this information, click OK. The system says it's saved the settings. You can then type a username and password into the large pGina Plugin Simulation dialog box, and click Login. (Note that your password will echo when you type it, and it will also appear in the dialog box once it's been authenticated.) If all goes well, the program reports "plugin reported success", along with information on the account in the main dialog box. If the tool instead reports a failure, you should click Configure to go back to the configuration dialog box and make changes. Because of pGina's insistence on verifying the server's certificate, this can be a problem area. You may want to temporarily disable SSL encryption (on both the client and the server) to simplify matters while you troubleshoot. Once you can authenticate users, click Exit.
To fully configure pGina, select Start Programs pGina Configuration Tool. (The installer launches this program automatically by default, so it may already be running.) The result is the main pGina configuration dialog box, shown in Figure 8-8. Basic configuration at this point is fairly simple: click Browse to locate the LDAP plugin. If you haven't tested the plugin, though, you'll also need to click Configure to configure it. Testing your configuration can be tricky unless you use the plugin tester program, as just described.
Figure 8-8. The main pGina configuration dialog box
In addition to the basic configuration, you may want to adjust some of the more advanced features of pGina:
Once you've configured pGina, you need to reboot the computer for the changes to take effect. Once you do, you'll be greeted by a new pGina login prompt, as shown in Figure 8-9. You should be able to log on using any of the accounts defined on your LDAP server, as well as any accounts that are defined locally on the Windows system. When you log on using an LDAP account, pGina automatically generates a matching local account. The user thereafter appears in the local user database unless you manually delete the accounts or uncheck the Keep Profiles checkbox, as just described.
Figure 8-9. Once pGina is working, it presents its own logon screen rather than the default Windows logon screen