That Kerberos solution might work. I could set up a Kerberos server with a backend using my own ldap and have AD trust it for authentication? I must say I know very little about setting up a Kerberos server. I'm going to head down that road, unless someone sees issues there? Have you ever set up or seen something working like that? Thanks.


On Fri, Jun 6, 2014 at 3:36 PM, Peter Gietz <peter.gietz@daasi.de> wrote:
Am 06.06.2014 20:54, schrieb Justin Stanczak:
> Is there a method of connecting Active Directory to use OpenLDAP as
> the authentication source. So pass through to OpenLDAP. Making
> OpenLDAP the primary system with all the passwords and usernames. I
> realize this might be more of a AD question, but the places I've
> looked seem to always make AD the primary. Then everyone else must
> proxy to AD. Thanks.

May be you could achieve such with  a realm trust between any
non-Windows Kerberos version 5 (V5) realm and an Active Directory domain
and use a Kerberos system that can be configured to use OpenLDAP as data
backend. But that is just a mere guess.

But what you also could do is provision AD from OpenLDAP. For the
password you would need to have the clear text stored in a reversible
encrypted way (we use X509 asymmetric encryption in our projects), or
create the AD hashes and store them in OpenLDAP, when a user changes her
password.  Both is quite some work but doable and makes sense within a
broader identity management project.

What you also could do is get away with AD and use samba with OpenLDAP
backend instead ;-)

Just some thoughts, hoping it helps,

Peter