Hello,
My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand.
Can anyone suggest me the solution to solve this problem.
Thanks and Best regards,
Duong Pham.
On Tue, Jan 13, 2009 at 02:30:27PM +0700, Duong Pham Tung (FIM HN) wrote:
My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand.
Do you mean that you want to have a single OpenLDAP server that refers authentication to the three backend servers?
Does each AD server manage a separate non-overlapping part of the tree? If so, you may be able to use OpenLDAP with back-meta to glue the three servers together into a single service without having to copy any data across.
In more complex cases you may have to copy data into OpenLDAP. 10,000 users is not very many, but you certainly would not want to copy the entries by hand. You may need to write some scripts to synchronise the data. The scripts could put an attribute into each entry in OpenLDAP to say which AD server the user came from. You could then use Pass-Through Authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...
Andrew
Hi, Andrew
Thanks for your suggestion. I will try using OpenLDAP with back-meta.
Do you mean that you want to have a single OpenLDAP server that
refers authentication to the three backend servers?
I am figuring out more detail about my task: Suppose that, if some one such as Mr Deck has account d@abc.com want to use company mail service, so he will send his username/password to Openldap server to authenticate to use mail service. He don't know anything about AD server which manage abc.com domain. OpenLDAP server receives this authentication request, and responses to the client that his access is granted or denied. And authenticating users from other domains is familiar.
But, because my company structure so I have not Admin account or super user account these AD servers that means I can't install any software. (each domain is a sub-company). I can only lookup info.
Best regards,
Duong Pham
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: 14 tháng một 2009 12:14 SA To: Duong Pham Tung (FIM HN) Cc: openldap-technical@openldap.org Subject: Re: OpenLDAP centralized authentication with Active Directory
Do you mean that you want to have a single OpenLDAP server that refers authentication to the three backend servers?
Does each AD server manage a separate non-overlapping part of the tree? If so, you may be able to use OpenLDAP with back-meta to glue the three servers together into a single service without having to copy any data across.
In more complex cases you may have to copy data into OpenLDAP. 10,000 users is not very many, but you certainly would not want to copy the entries by hand. You may need to write some scripts to synchronise the data. The scripts could put an attribute into each entry in OpenLDAP to say which AD server the user came from. You could then use Pass-Through Authentication:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat ion
Andrew
"Duong Pham Tung (FIM HN)" DuongPT3@fpt.com.vn writes:
Hello,
My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand.
Can anyone suggest me the solution to solve this problem.
You may set up back-meta and rewrite the different suffices to a single suffix. There are examples in man slapd-meta(5) and man slapo-rwm(5).
-Dieter
openldap-technical@openldap.org
-
Andrew Findlay -
Dieter Kluenter -
Duong Pham Tung -
Duong Pham Tung (FIM HN)