On 15/06/2010 16:39, Markus wrote:
Hello list,
I'm on SLES 11 and the mission is to allow Active Directory (AD) users to log in to Linux. The difficulty is that those users are stored in two separate ADs which have no connection to each other. Both ADs are running on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS (/etc/ldap.conf) implementation to map the UNIX attributes that are stored in the AD to local values (homedir, shell, UID/GID etc.). So far so good, everything works fine (getent passwd, PAM logins).
Now, when searching for a solution on how to query two ADs via LDAP at the same time it seems like OpenLDAP supports multiple LDAP search bases, and there was also a mentioning of the translucent overlay feature, so I suppose using OpenLDAP I could fetch the UNIX attributes from both ADs simultaneously.
Yes, you can use OpenLDAP as a proxy to the two ADs via LDAP. Checkout the slapd-meta man page (meta is a backend that can take several remote LDAP proxy databases).
The translucent overlay would allow you to store extra information on your OpenLDAP server that's not in the AD directories. It doesn't sound like this is necessary for you, but I may be wrong.
Hope this helps, Jonathan
What completely puzzles me is the NSS/PAM configuration and how PADL NSS and OpenLDAP interact respectively not interact:
- If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS
(/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent passwd" and "getent group" and of course PAM logins to work. E.g. getent passwd has to give me back all users from BOTH ADs that have UNIX attributes stored. But since there seems to be only the PADL NSS module in existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the OpenLDAP variant. Shouldn't there be something like /lib/libnss_openldap.so and shouldn't I be able to add something like "passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I don't understand why.
- So that leaves me with the idea of *somehow* fetching the UNIX
attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to store this information in, and then using the PADL NSS module to query it. I'm not sure if this is the right approach or if this is even technically feasible. Is there maybe a easier way with less overhead (e.g. no OpenLDAP server required).
Thank you very much for any hints or pointers that you might share with me! I'm really lost...
Best regards Markus