On Wed, Nov 21, 2012 at 03:50:03PM -0500, Mailing Lists wrote:
As I thought about it more, I realized we could use LDAP to centralize our Linux users, groups, and access to other LDAP-enabled applications. The point of all this is, that I don't need to proxy Active Directory (and its schema) in its entirety, I really just want to use it as a central repository for user info and authentication.
So, I guess, my first question is: Is this a viable use case? All signs seem to point to yes, but I just want to make sure.
In principle, yes you can do this. In practice of course it depends on the details... If you want AD to store all the attributes needed by SAMBA and Linux clients, are you prepared to add them to the AD schema? Will they conflict with something that is already there? Remember that although AD provides an LDAP interface, it is not entirely compliant with LDAP standards - particularly with respect to schema.
I currently have a proxy database configured that is successfully proxying/ querying our AD infrastructure. From what I've read, OpenLDAP 2.3 and newer have the ability to proxy unknown schemas, but will be not be able to do any advanced filtering because the schema is unknown. My question is, given a full export of the AD schema from CN=Schema,CN=Configuration,DC=corp,DC=whatever,DC= com via LDIFDE, is there a way to leverage this to re-create parts of the AD schema so that OpenLDAP can perform native filtering? I'm primarily only interested in the user objects (ObjectClass=user).
You may need to do a bit of editing and reformatting on the schema entries but in principle yes you can add AD-like schema to OpenLDAP. You will have to watch out for schema that is incompatible with the built-in standard schema, but you can probably get close enough to do something useful.
users. I've also seen the AD/Outlook Global Address List entry in the FAQ, but that involves editing the OpenLDAP provided .schema files. If possible, i'd like to keep all of these AD related schemas within their own files and keep the OpenLDAP provided ones untouched.
Makes sense.
Andrew