That Kerberos solution might work. I could set up a Kerberos server with a backend using my own ldap and have AD trust it for authentication? I must say I know very little about setting up a Kerberos server. I'm going to head down that road, unless someone sees issues there? Have you ever set up or seen something working like that? Thanks.
On Fri, Jun 6, 2014 at 3:36 PM, Peter Gietz peter.gietz@daasi.de wrote:
Am 06.06.2014 20:54, schrieb Justin Stanczak:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
May be you could achieve such with a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain and use a Kerberos system that can be configured to use OpenLDAP as data backend. But that is just a mere guess.
But what you also could do is provision AD from OpenLDAP. For the password you would need to have the clear text stored in a reversible encrypted way (we use X509 asymmetric encryption in our projects), or create the AD hashes and store them in OpenLDAP, when a user changes her password. Both is quite some work but doable and makes sense within a broader identity management project.
What you also could do is get away with AD and use samba with OpenLDAP backend instead ;-)
Just some thoughts, hoping it helps,
Peter