Hi.
I'm new to the world of LDAP and directory servers and trying to figure out the best solution to my problem.
This isn't exactly OpenLDAP specific, I still haven't figured out whether OpenLDAP is the right thing to use or whether there is any good solution to my situation.
So I hope you forgive me for asking this here but I'm hoping to tap into the collective knowledge of this list for ideas.
My situation is that I have taken over the systems administration of a group of Linux servers for the Computer Science department at my school. The school has an IT department but we would like to be independent of them, both to relieve them of as much as possible of our demands (which can be quite demanding and unorhadox) as well as having a more agile environment here (again touching on the fact that they are overloaded).
The IT department mostly runs Microsoft solutions and the whole domain is controlled by Active Directory. I'm not familiar with AD myself so I don't know whether it's a particularly "good setup" or not but I have no reason to believe otherwise.
So, what I want to do is set up our own directory server but of course I would like to use some open source solutions... or at the very least, something that runs on Linux. There I would like to control authorization for different users to different servers, clusters, web systems (such as wiki webs, Subversion, bug tracking software etc). On the other hand, I would prefer that authentication be somehow delegated to the AD server for any user who is on the domain to avoid duplicating data. However, I still would like to be able to define additional users in my LDAP directory server that are not necessarily on the domain. So my setup would have to be able to distinguish whether authentication should be handled by my LDAP server or the AD server. I would think this could happen in two ways: 1) user credentials are replicated over to the LDAP server from AD which means that LDAP would handle all authentication or 2) LDAP server would delegate authentication for users it cannot authenticate to the AD server but otherwise it would handle the users it knows. I assume 1 is difficult to do as sending the user credentials out from AD is probably considered bad practice (if it is at all possible that is).
The backup plan would be for me to get administrative rights to some part of the AD server and then we'd use only that server for all authentication and authorization requirements but as I said, we would like to be as independent from their services as possible in addition to not being particularly fond of having to use AD (is there any sort of a usable web access to that? would this mean I would have to have a Windows box set up to perform any administrative tasks?).
This is my situation. Sorry for the log winded explanation. Does anybody have an idea of how to accomplish something like this? I'd be happy to hear about any case studies or white papers on similar subjects (I can't believe I'm the first one to want to do this). I'm also open for suggestions on what tools to use. Open source is not a requirement (but preferred).
Best regards, Stefan Freyr.