Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with my currently running windows/active directory, however.. i cant find any information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows boxes (obviously), however.. all windows users have accounts on the linux machines i run and that makes administrative tasks a bit messy, hence i have to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with windows active directory, so that my users can authenticate against the linux domain using their windows passwords.
etc, (linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows machines)
Thats how i imagine the setup will look like.
Has anyone ever done this? Any help is greatly appreciated!
// Thanks, boney
"Razi Garbie" boneybastard@gmail.com writes:
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with my currently running windows/active directory, however.. i cant find any information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows boxes (obviously), however.. all windows users have accounts on the linux machines i run and that makes administrative tasks a bit messy, hence i have to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with windows active directory, so that my users can authenticate against the linux domain using their windows passwords.
etc, (linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows machines)
Thats how i imagine the setup will look like.
Has anyone ever done this?
I doubt it. Ask Microsoft to implement RFC 4533. But you might try OpenLDAP with configured back-ldap and probably a caching proxy to connect to AD. Further readings: man slapd.conf(5), man slapd-ldap(5), man slapo-pcache(5).
-Dieter
On Feb 11, 2008 2:28 PM, Razi Garbie boneybastard@gmail.com wrote:
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with my currently running windows/active directory, however.. i cant find any information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows boxes (obviously), however.. all windows users have accounts on the linux machines i run and that makes administrative tasks a bit messy, hence i have to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with windows active directory, so that my users can authenticate against the linux domain using their windows passwords.
Yes it can be done, in my setup a user can login to linux machine , this user does not exists on linux, beside it exists on windows active directory.
I am getting these results. suppose I have a user , say "bharat", user bharat exists on windows active directory and on linux machine it does not exists.
Now with few configurations user bharat can login to linux box though it does not exists on linux. Linux is getting authentication from windows active directory.
a.) I don't have to create a user account on linux machine. b). My users on active directory can login to linux machine with same passwords assigned on windows ad. c). User can change their password from linux shell (still testing the exact thing which I am getting), but it is confirmed that after changing password from linux shell I have new password working, will let you more.
I tried this thing.
1.) On windows first installed AD, then SFU (service for unix) which gives a unix attribute setting to active directory user properties. 2.) Added a user on active directory. 3.) changed /etc/ldap.conf so that it can bind linux machine with AD. 4.) changed /etc/nsswitch.conf to have ldap authentication 5.) changed pam configuration 6.)authconfig settings to have ldap
I am still working on this thing, exact procedure which i followed I am documenting it. e.g. file changes,
in the mean time you can visit the following page. it is among many other pages which I followed. http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-serv...
I used RHEL5 and windows AD , working on RHEL4 to reproduce the results.
what os are you using?
Anuj Singh.
etc, (linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows machines)
Thats how i imagine the setup will look like.
Has anyone ever done this? Any help is greatly appreciated!
// Thanks, boney
On Monday 11 February 2008 20:12:17 अनुज Anuj Singh wrote:
On Feb 11, 2008 2:28 PM, Razi Garbie boneybastard@gmail.com wrote:
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with my currently running windows/active directory, however.. i cant find any information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows boxes (obviously), however.. all windows users have accounts on the linux machines i run and that makes administrative tasks a bit messy, hence i have to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with windows active directory, so that my users can authenticate against the linux domain using their windows passwords.
Yes it can be done, in my setup a user can login to linux machine , this user does not exists on linux, beside it exists on windows active directory.
There are a number of well-known solutions to authenticating Unix servers to Active Directory, however, the original question was about synchronisation between OpenLDAP and Active Directory.
There are also other potential solutions for synching passwords from AD to OpenLDAP, but the original question precluded this answer ...
So, maybe the original poster would like to re-pose the question.
(I personally dislike using AD for Unix user account details, as other features of LDAP-aware Unix clients are not available when using AD)
Regards, Buchan
2008/2/12, Buchan Milne bgmilne@staff.telkomsa.net:
On Monday 11 February 2008 20:12:17 अनुज Anuj Singh wrote:
On Feb 11, 2008 2:28 PM, Razi Garbie boneybastard@gmail.com wrote:
Hi everyone,
I've spent countless of hours trying to figure out how to sync
openLDAP
with my currently running windows/active directory, however.. i cant
find
any information on how this is done.
Im currently running windows/AD which authenticates ~20users all
windows
boxes (obviously), however.. all windows users have accounts on the
linux
machines i run and that makes administrative tasks a bit messy, hence
i
have to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced
with
windows active directory, so that my users can authenticate against
the
linux domain using their windows passwords.
Yes it can be done, in my setup a user can login to linux machine , this user does not exists on linux, beside it exists on windows active directory.
There are a number of well-known solutions to authenticating Unix servers to Active Directory, however, the original question was about synchronisation between OpenLDAP and Active Directory.
There are also other potential solutions for synching passwords from AD to OpenLDAP, but the original question precluded this answer ...
So, maybe the original poster would like to re-pose the question.
(I personally dislike using AD for Unix user account details, as other features of LDAP-aware Unix clients are not available when using AD)
Regards, Buchan
Perhaps i should try to explain my situation a little bit better,
What i want to achive is corss-platform authentication between windows/AD + workstations and linux (debian, centOS and redhat). So i thought it would work to setup a OpenLDAP server on one of the boxes and clients on the other servers, and sync the OpenLDAP with my currently running Windows/AD, ive looked at various solutions on how to authenticate linux machines in Win/AD with winbind etc.
But i didnt really like that, considering i plan to run daemons/services that use ldap for authentication.
I hope i dont confuse things... Bottom line is that i need a solution for cross platform authentication, so my users can authenticate to windows, to their linux shells and daemons running on the linux boxes (all using the same account information)
// Thanks for your help, Razi
Razi Garbie wrote:
What i want to achive is corss-platform authentication between windows/AD + workstations and linux (debian, centOS and redhat). So i thought it would work to setup a OpenLDAP server on one of the boxes and clients on the other servers, and sync the OpenLDAP with my currently running Windows/AD, ive looked at various solutions on how to authenticate linux machines in Win/AD with winbind etc.
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve from OpenLDAP with nss_ldap. No syncing needed for that, just different ldap.conf files for pam_ldap and nss_ldap.
Ciao, Michael.
2008/2/13, Michael Ströder michael@stroeder.com:
Razi Garbie wrote:
What i want to achive is corss-platform authentication between windows/AD + workstations and linux (debian, centOS and redhat). So i thought it would work to setup a OpenLDAP server on one of the boxes and clients on the other servers, and sync the OpenLDAP with my currently running Windows/AD, ive looked at various solutions on how to authenticate linux machines in Win/AD with winbind etc.
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve from OpenLDAP with nss_ldap. No syncing needed for that, just different ldap.conf files for pam_ldap and nss_ldap.
Ciao, Michael.
I see, so a slapd is not needed?
If thats the case, do you perhaps know if i'll be able to authenticate services that use LDAP:// and not PAM? Could someone please give me links so that i can read up upon how to setup OpenLDAP to authenticate against Windows/AD.
Razi Garbie wrote:
2008/2/13, Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>:
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve from OpenLDAP with nss_ldap. No syncing needed for that, just different ldap.conf files for pam_ldap and nss_ldap.I see, so a slapd is not needed?
In this scenario authentication would be done directly with AD. But you also might want to retrieve the NIS information (what's in /etc/passwd) via LDAP. It depends whether you also want that information to be stored in AD or not.
If thats the case, do you perhaps know if i'll be able to authenticate services that use LDAP:// and not PAM?
You can have a mixture of applications directly checking a password via LDAP and some using PAM or some directly using Kerberos or...
But take into account operational and security considerations.
Could someone please give me links so that i can read up upon how to setup OpenLDAP to authenticate against Windows/AD.
Use SASL GSSAPI for using Kerberos with AD to authenticate clients which bind to slapd.
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Michael Ströder -
Razi Garbie -
अनुज Anuj Singh