This is probably better posted on the Kerberos list, but can Kerberos server work with AD? Meaning set up a Kerberos server (not MS) to authenticate users, and AD accepts tickets from that?
On Tue, Jun 10, 2014 at 9:36 AM, Stewart Walters stewart.walters@gmail.com wrote:
Hi Justin,
My emails don't seem to arrive to the openldap-technical list.
But, (and please note, I've never actually done this before) you could use a virtual LDAP directory front-end to combine portions of both AD and OpenLDAP to provide clients with a single unified view. In theory the client can't tell the difference between data from one or the other (though I imagine that the theory and the practice of this is completely different, which is why I've never attempted this).
Such products that provide this are MyVD (http://myvd.sourceforge.net/) and some commercial ones like RadiantOne VDS, Virtual Identity Server, Virtual LDAP Server EE
However all of that complicates what should be a relatively simple thing - storing and retrieving an identity held within a directory. I wouldn't recommend looking at virtual directories as a way forward, you're likely to run in to bigger problems by over engineering the solution.
I find its best to keep things simple. Either keep the OpenLDAP and AD identities separate between the two directories, or if you have to, look towards suggestions made by others (such as using Kerberos V5 Trusted Realm+OpenLDAP; or Samba+OpenLDAP).
Best of luck,
Stewart
Am Thu, 12 Jun 2014 12:22:00 -0400 schrieb Justin Stanczak rizenine@gmail.com:
This is probably better posted on the Kerberos list, but can Kerberos server work with AD? Meaning set up a Kerberos server (not MS) to authenticate users, and AD accepts tickets from that?
Yes, this can be done. There is some Microsoft documentation on this topic, just search technet.microsoft.com.
-Dieter
On Tue, Jun 10, 2014 at 9:36 AM, Stewart Walters stewart.walters@gmail.com wrote:
Hi Justin,
My emails don't seem to arrive to the openldap-technical list.
But, (and please note, I've never actually done this before) you could use a virtual LDAP directory front-end to combine portions of both AD and OpenLDAP to provide clients with a single unified view. In theory the client can't tell the difference between data from one or the other (though I imagine that the theory and the practice of this is completely different, which is why I've never attempted this).
Such products that provide this are MyVD (http://myvd.sourceforge.net/) and some commercial ones like RadiantOne VDS, Virtual Identity Server, Virtual LDAP Server EE
However all of that complicates what should be a relatively simple thing - storing and retrieving an identity held within a directory. I wouldn't recommend looking at virtual directories as a way forward, you're likely to run in to bigger problems by over engineering the solution.
I find its best to keep things simple. Either keep the OpenLDAP and AD identities separate between the two directories, or if you have to, look towards suggestions made by others (such as using Kerberos V5 Trusted Realm+OpenLDAP; or Samba+OpenLDAP).
Best of luck,
Stewart
openldap-technical@openldap.org