Hello list,
I'm on SLES 11 and the mission is to allow Active Directory (AD) users to log in to Linux. The difficulty is that those users are stored in two separate ADs which have no connection to each other. Both ADs are running on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS (/etc/ldap.conf) implementation to map the UNIX attributes that are stored in the AD to local values (homedir, shell, UID/GID etc.). So far so good, everything works fine (getent passwd, PAM logins).
Now, when searching for a solution on how to query two ADs via LDAP at the same time it seems like OpenLDAP supports multiple LDAP search bases, and there was also a mentioning of the translucent overlay feature, so I suppose using OpenLDAP I could fetch the UNIX attributes from both ADs simultaneously.
What completely puzzles me is the NSS/PAM configuration and how PADL NSS and OpenLDAP interact respectively not interact:
- If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS (/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent passwd" and "getent group" and of course PAM logins to work. E.g. getent passwd has to give me back all users from BOTH ADs that have UNIX attributes stored. But since there seems to be only the PADL NSS module in existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the OpenLDAP variant. Shouldn't there be something like /lib/libnss_openldap.so and shouldn't I be able to add something like "passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I don't understand why.
- So that leaves me with the idea of *somehow* fetching the UNIX attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to store this information in, and then using the PADL NSS module to query it. I'm not sure if this is the right approach or if this is even technically feasible. Is there maybe a easier way with less overhead (e.g. no OpenLDAP server required).
Thank you very much for any hints or pointers that you might share with me! I'm really lost...
Best regards Markus