-----Original Message----- From: openldap-technical-bounces+christopher.barry=qlogic.com@openld ap.org [mailto:openldap-technical-bounces+christopher.barry=qlogic.co
m@openldap.org] On Behalf Of Dieter Kluenter
Sent: Tuesday, September 23, 2008 1:11 PM To: openldap-technical@openldap.org Subject: Re: RFT0001 : Request For Thoughts
"Christopher Barry" christopher.barry@qlogic.com writes:
Hi everyone,
[..]
The Parts Bin: There's a bunch of parts around, and they all kind of fit
together, but
to my current understanding anyway, seem to create a few different incomplete solutions, such as:
- Samba/Winbind/Kerberos (possibly backed by OpenLDAP)
No, this is not possible, ask on a samba list for reasons.
- OpenLDAP/Kerberos with trusts to AD
yes, this can be done,
- AD using 2003R2 and possibly custom schema modifications if required.
this could be done
My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome?
If you administer a homogenous windows network, keep AD as primary domain controller (just KDC) and configure samba as backup controller. If you administer a heterogenous network, get, in addition to the above mentioned design, OpenLDAP plus heimdal kerberos to administer Unix hosts and users and create a trust relation to AD.
-Dieter
-- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Thanks Dieter.
Why heimdal as opposed to MIT? Is is better at AD interop, or are you thinking about crypto restrictions?
Also, would you recommend keeping all user/group data in AD proper, but all other NIS related stuff in OpenLDAP?
Regards, -C