Marc Patermann wrote:
Hi,
Andrew Findlay schrieb (27.04.2015 21:06 Uhr):
On Mon, Apr 27, 2015 at 06:27:39PM +0000, Ross, Daniel B. wrote:
All of my customers so far have chosen the parallel approach, as that allows the Unix LDAP to continue working if it loses access to AD. Ideally this includes installing a module on the AD Domain Controllers that detects password changes and forwards them immediately to the Unix LDAP. I have generally used Microsoft's SFU password-capture module for this as AD admins seem happier to install Microsoft code than things from other sources. It does have its problems though, and the code quality of the Unix end that they provide leaves a lot to be desired. I believe newer AD versions come with an updated version of this built in, but I have not tested it.
I don't know about AD, I googled a bit around. I found "Identity Management for UNIX: Password Synchronization" as a successor of SFU, is this true? Is this the thing MS is currently offering: https://technet.microsoft.com/en-us/library/cc776179%28v=ws.10%29.aspx Using NIS and installing a PAM module on every machine!?
Not the only way.
http://www.openldap.org/lists/openldap-devel/200811/msg00045.html
You can create a slapd overlay that talks to the AD password synch module to do two-way password synchronization.