Hello everyone,
I´m having a hard time. I should enable the sync of an AD (W2K3) and an LDAP (CentOS 5.3) server based on the mentioned System. I realy don´t know how to establish a sync of user Account, Groups, etc.
I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch Kerberos for SSO (Single-Sign-ON) but the Information are still located in the AD not in the LDAP and I want to Authenticate against the LDAP server. I realy don´t know how to configure the AD / LDAP so sync, or to replicate the AD into LDAP.
Can someone help me out with a good "How-To" or maybe some config files, etc.
Many thanks in advance.
Mit freundlichen Grüßen / Kind regards Markus Moj IT Infrastructure & Services
TimoCom Soft- und Hardware GmbH In der Steele 2 D-40599 Düsseldorf Tel: +49 211 88 26 80 14 Fax: +49 211 88 26 70 14 eMail: MMoj@TimoCom.com www.TimoCom.com Geschäftsführer: Jens Thiermann, Gunther Matzaitis Amtsgericht Düsseldorf, HRB 34489
Hi,
I'm also interested in a similar syncronization. Anyone have/had some success on this that could comment ?
Best Regards, Rui
On Tue, 2009-09-15 at 10:53 +0200, MMoj@timocom.com wrote:
Hello everyone,
I´m having a hard time. I should enable the sync of an AD (W2K3) and an LDAP (CentOS 5.3) server based on the mentioned System. I realy don ´t know how to establish a sync of user Account, Groups, etc.
I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch Kerberos for SSO (Single-Sign-ON) but the Information are still located in the AD not in the LDAP and I want to Authenticate against the LDAP server. I realy don´t know how to configure the AD / LDAP so sync, or to replicate the AD into LDAP.
Can someone help me out with a good "How-To" or maybe some config files, etc.
Many thanks in advance.
Mit freundlichen Grüßen / Kind regards Markus Moj IT Infrastructure & Services
TimoCom Soft- und Hardware GmbH In der Steele 2 D-40599 Düsseldorf Tel: +49 211 88 26 80 14 Fax: +49 211 88 26 70 14 eMail: MMoj@TimoCom.com www.TimoCom.com Geschäftsführer: Jens Thiermann, Gunther Matzaitis Amtsgericht Düsseldorf, HRB 34489
On 15/09/2009 10:53, MMoj@timocom.com wrote:
Hello everyone,
I´m having a hard time. I should enable the sync of an AD (W2K3) and an LDAP (CentOS 5.3) server based on the mentioned System. I realy don´t know how to establish a sync of user Account, Groups, etc.
I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch Kerberos for SSO (Single-Sign-ON) but the Information are still located in the AD not in the LDAP and I want to Authenticate against the LDAP server. I realy don´t know how to configure the AD / LDAP so sync, or to replicate the AD into LDAP.
Can someone help me out with a good "How-To" or maybe some config files, etc.
Hi,
It sounds like you're facing several problems here: 1) How to sync user accounts and groups from AD to OpenLDAP 2) How to authenticate users
To address 1, you will need a tool that reads from AD, and writes to OpenLDAP. Many people write their own scripts, although I recommend you look at http://lsc-project.org.
To address 2, you need to decide how you want authentication to work.
You could setup OpenLDAP to redirect BIND attemps to the AD, via LDAP (using saslauthd and spasswd), keeping passwords in AD.
If you want to be able to authenticate on OpenLDAP without requiring access to the AD servers, you'll want passwords in OpenLDAP too. It's not generally possible to extract them from AD, so you'll need to set new ones in OpenLDAP, and maybe sync them to your AD.
Good luck, Jonathan
On Tue, 2009-09-15 at 10:53 +0200, MMoj@timocom.com wrote:
Hello everyone,
I´m having a hard time. I should enable the sync of an AD (W2K3) and an LDAP (CentOS 5.3) server based on the mentioned System. I realy don ´t know how to establish a sync of user Account, Groups, etc.
I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch Kerberos for SSO (Single-Sign-ON) but the Information are still located in the AD not in the LDAP and I want to Authenticate against the LDAP server. I realy don´t know how to configure the AD / LDAP so sync, or to replicate the AD into LDAP.
Can someone help me out with a good "How-To" or maybe some config files, etc.
There seems to be a common confusion about AD. AD comprises two elements: LDAP server and Kerberos server. User information (accounts, groups) are stored in LDAP. User passwords are stored in Kerberos.
You can replicate (sync) AD LDAP server to openldap, but you will have only authorization information (users, groups) not the authentication information (passwords). Therefore you can not authenticate against LDAP.
In order to get your thing working, you'd have to replicate Kerberos information too. It is possible, however I myself never seen a consistent how-to which describes OpenLDAP/MIT_Kerberos AD replacement.
Martin.
MMoj@timocom.com writes:
Hello everyone,
I´m having a hard time. I should enable the sync of an AD (W2K3) and an LDAP (CentOS 5.3) server based on the mentioned System. I realy don´t know how to establish a sync of user Account, Groups, etc.
What directory are you running on CentOS? CentOS provides OpenLDAP and Fedora Directory Server aka Netscape iPlanet.
I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch Kerberos for SSO (Single-Sign-ON) but the Information are still located in the AD not in the LDAP and I want to Authenticate against the LDAP server. I realy don´t know how to configure the AD / LDAP so sync, or to replicate the AD into LDAP.
You may setup a Keberos trust relation between Active Directory and a CentOS based MIT-Krb5-1.6 and integrate the Keberos Database into OpenLDAP, if you run OpenLDAP.
Can someone help me out with a good "How-To" or maybe some config files, etc.
On this Topic there is not much Documentation available. As a start you may read http://technet.microsoft.com/en-us/library/bb742433.aspx
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Jonathan Clarke -
Martin Simovic -
Michael Ströder -
MMoj@timocom.com -
Rui Ramos