Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
On 06/06/14 14:54 -0400, Justin Stanczak wrote:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
What is your usage scenario? Are you supporting user logins to Windows systems? If so, see Samba.
I'm not AD expert, but the department requesting this service wants to ease the management of their windows environments. We currently use LDAP server from Oracle to managed our applications data. One of those applications is where all identity data is created. So it would be nice to just make AD use that active directory server and keep AD out of the mix. Instead of switching all applications to store data in the AD server. I didn't think Samba covered all AD functions. I might be wrong, I've only ever used Samba for print and file sharing. I'm open to ideas, but I'm not a big MS fan, and primary develop, not manage workstations. Thanks.
On Fri, Jun 6, 2014 at 3:03 PM, Dan White dwhite@olp.net wrote:
On 06/06/14 14:54 -0400, Justin Stanczak wrote:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
What is your usage scenario? Are you supporting user logins to Windows systems? If so, see Samba.
-- Dan White
Am 06.06.2014 20:54, schrieb Justin Stanczak:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
May be you could achieve such with a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain and use a Kerberos system that can be configured to use OpenLDAP as data backend. But that is just a mere guess.
But what you also could do is provision AD from OpenLDAP. For the password you would need to have the clear text stored in a reversible encrypted way (we use X509 asymmetric encryption in our projects), or create the AD hashes and store them in OpenLDAP, when a user changes her password. Both is quite some work but doable and makes sense within a broader identity management project.
What you also could do is get away with AD and use samba with OpenLDAP backend instead ;-)
Just some thoughts, hoping it helps,
Peter
That Kerberos solution might work. I could set up a Kerberos server with a backend using my own ldap and have AD trust it for authentication? I must say I know very little about setting up a Kerberos server. I'm going to head down that road, unless someone sees issues there? Have you ever set up or seen something working like that? Thanks.
On Fri, Jun 6, 2014 at 3:36 PM, Peter Gietz peter.gietz@daasi.de wrote:
Am 06.06.2014 20:54, schrieb Justin Stanczak:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.
May be you could achieve such with a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain and use a Kerberos system that can be configured to use OpenLDAP as data backend. But that is just a mere guess.
But what you also could do is provision AD from OpenLDAP. For the password you would need to have the clear text stored in a reversible encrypted way (we use X509 asymmetric encryption in our projects), or create the AD hashes and store them in OpenLDAP, when a user changes her password. Both is quite some work but doable and makes sense within a broader identity management project.
What you also could do is get away with AD and use samba with OpenLDAP backend instead ;-)
Just some thoughts, hoping it helps,
Peter
Am Fri, 6 Jun 2014 14:54:15 -0400 schrieb Justin Stanczak rizenine@gmail.com:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames.
AD is more or less another LDAP service, so I estimate that you are looking for a way to replicate the whole tree or a part of OpenLDAP to Active Directory.
I have never seen that live but I could imagine that the main problem is that you are using a different schema for user management of your applications on OpenLDAP than MS systems are expecting from their AD. So you might need a kind of gateway for this replication, if you don't want to align your software to MS schema. And this must work bidirectional because MS admins probably still want to use their GUI tools for administration.
The data between the two would be different, and I don't think a gateway would be too difficult. My main concern is the passwords. I don't know how to update AD or make AD use LDAP for authentication. Peter's Kerberos suggestion seems like a good option. I don't really care if AD and OpenLDAP know about each other or not. I don't really want to do a mass password reset to sync.
On Fri, Jun 6, 2014 at 4:02 PM, Tobias Crefeld tclx@klekih-petra.de wrote:
Am Fri, 6 Jun 2014 14:54:15 -0400 schrieb Justin Stanczak rizenine@gmail.com:
Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames.
AD is more or less another LDAP service, so I estimate that you are looking for a way to replicate the whole tree or a part of OpenLDAP to Active Directory.
I have never seen that live but I could imagine that the main problem is that you are using a different schema for user management of your applications on OpenLDAP than MS systems are expecting from their AD. So you might need a kind of gateway for this replication, if you don't want to align your software to MS schema. And this must work bidirectional because MS admins probably still want to use their GUI tools for administration.
-- Gruß, Tobias.
no email, only xmpp: crefeld@xabber.de
openldap-technical@openldap.org
-
Dan White -
Justin Stanczak -
Peter Gietz -
Tobias Crefeld