Using pGina to authenticate users on Windows PCs

Table of Contents

Overview

To use LDAP to authenticate users on Windows PCs, you can use the pGina dynamically linked library. pGina is available from http://pgina.org.  You will require a Special DN.  They can be requested here.

Windows 7 users may need to add the IP address and hostname for the UH LDAP server, ldap1.its.hawaii.edu, to the Windows hosts file.

Vista and Windows 7

  • pGina 3.0 has been released as of April 2012 and is reported to be compatible with Windows 7.
  • pGina 2.1, the July 2010 release is seems to no longer pass the LDAP admin credentials properly. As a result, it only works to authenticate fac/staff.
  • pGina 2.0 does appear to work with Vista and Windows 7, but only after adding a line to the hosts file,
    128.171.224.193 ldap1.its.hawaii.edu

Campuses may want to limit PC usage to students, faculty, and staff at that campus. To do this, go to the pGina configuration screen and change the Filter from (uid=%s) to something like (&(uid=%s)(uhOrgAffiliation=eduPersonOrgDn=kcc,eduPersonAffiliation=*)) . In this example, the eduPersonOrgDn value is kcc for Kapiolani Community College.

Values for eduPersonOrgDn are:

  • hawcc — Hawaii Community College
  • hcc — Honolulu Community College
  • kcc — Kapiolani Community College
  • kauaicc — Kauai Community College
  • lcc — Leeward Community College
  • mauicc — Maui College
  • wcc — Windward Community College
  • uhh — University of Hawaii at Hilo
  • uhm — University of Hawaii at Manoa
  • uhwo — University of Hawaii – West Oahu
  • rcuh — Research Corporation of UH

pGina Online Community

The pGina community operates a Google Group with searchable archives and and active community that answers newly posted questions.

Questions and Answers

Question: Does pGina store passwords?

If LDAP authentication is successful, does pGina 3.0 use the cleartext password and rehashes the windows password with it so that, eventually, the repository of hashed windows passwords is a subset of the LDAP passwords (though hashed)? We've inferred this from our internal discussions that are somewhat dated, but would like to understand this better. Thanks for any info.

Answer: provided by the developer

pGina does not have a "repository of hashed windows passwords." Are you referring to the Windows local account store (SAM)? pGina works (in a typical LDAP-based configuration) by creating a local Windows account that has the same username and password as the LDAP account. That local account may be deleted after the user has logged out, if the Local Machine plugin is configured to do so. If it is not configured to do so, there may be a set of local accounts that is a subset of the LDAP accounts (those users who have logged on to the machine). Those accounts may or may not have the same password as the LDAP accounts depending on how the Local Machine plugin is configured (see the "Scramble password after logout" option). For more information, please take a look at the documentation for the Local Machine plugin, and the pGina user's guide. Let me know if there is something that could be more clear.
o http://pgina.org/docs/local_machine.html
o http://pgina.org/docs/user.html
Thanks,
David