12:58 a.m.
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with
my currently running windows/active directory, however.. i cant find any
information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows
boxes (obviously), however.. all windows users have accounts on the linux
machines i run and that makes administrative tasks a bit messy, hence i have
to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with
windows active directory, so that my users can authenticate against the
linux domain using their windows passwords.
etc,
(linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows
machines)
Thats how i imagine the setup will look like.
Has anyone ever done this?
Any help is greatly appreciated!
// Thanks, boney
7:42 a.m.
"Razi Garbie" <boneybastard(a)gmail.com> writes:
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with
my currently running windows/active directory, however.. i cant find any
information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows boxes
(obviously), however.. all windows users have accounts on the linux machines i
run and that makes administrative tasks a bit messy, hence i have to make
account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with
windows active directory, so that my users can authenticate against the linux
domain using their windows passwords.
etc,
(linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows
machines)
Thats how i imagine the setup will look like.
Has anyone ever done this?
I doubt it.
Ask Microsoft to implement RFC 4533.
But you might try OpenLDAP with configured back-ldap and probably a
caching proxy to connect to AD. Further readings: man slapd.conf(5),
man slapd-ldap(5), man slapo-pcache(5).
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
10:12 a.m.
On Feb 11, 2008 2:28 PM, Razi Garbie <boneybastard(a)gmail.com> wrote:
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with
my currently running windows/active directory, however.. i cant find any
information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows
boxes (obviously), however.. all windows users have accounts on the linux
machines i run and that makes administrative tasks a bit messy, hence i have
to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with
windows active directory, so that my users can authenticate against the
linux domain using their windows passwords.
Yes it can be done, in my setup a user
can login to linux machine ,
this user does not exists on linux, beside it exists on windows active
directory.
I am getting these results.
suppose I have a user , say "bharat",
user bharat exists on windows active directory and on linux machine it
does not exists.
Now with few configurations user bharat can login to linux box though
it does not exists on linux.
Linux is getting authentication from windows active directory.
a.) I don't have to create a user account on linux machine.
b). My users on active directory can login to linux machine with same
passwords assigned on windows ad.
c). User can change their password from linux shell (still testing the
exact thing which I am getting), but it is confirmed that after
changing password from linux shell I have new password working, will
let you more.
I tried this thing.
1.) On windows first installed AD, then SFU (service for unix) which
gives a unix attribute setting to active directory user properties.
2.) Added a user on active directory.
3.) changed /etc/ldap.conf so that it can bind linux machine with AD.
4.) changed /etc/nsswitch.conf to have ldap authentication
5.) changed pam configuration
6.)authconfig settings to have ldap
I am still working on this thing, exact procedure which i followed I
am documenting it. e.g. file changes,
in the mean time you can visit the following page. it is among many
other pages which I followed.
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-s...
I used RHEL5 and windows AD , working on RHEL4 to reproduce the results.
what os are you using?
Anuj Singh.
etc,
(linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows
machines)
Thats how i imagine the setup will look like.
Has anyone ever done this?
Any help is greatly appreciated!
// Thanks, boney
8:31 a.m.
On Monday 11 February 2008 20:12:17 अनुज Anuj Singh wrote:
On Feb 11, 2008 2:28 PM, Razi Garbie <boneybastard(a)gmail.com>
wrote:
> Hi everyone,
>
> I've spent countless of hours trying to figure out how to sync openLDAP
> with my currently running windows/active directory, however.. i cant find
> any information on how this is done.
>
> Im currently running windows/AD which authenticates ~20users all windows
> boxes (obviously), however.. all windows users have accounts on the linux
> machines i run and that makes administrative tasks a bit messy, hence i
> have to make account changes on two different domains.
>
> The ideal setup is to setup setup a OpenLDAP server that is synced with
> windows active directory, so that my users can authenticate against the
> linux domain using their windows passwords.
Yes it can be done, in my setup a user can login to linux machine ,
this user does not exists on linux, beside it exists on windows active
directory.
There are a number of well-known solutions to authenticating Unix servers to
Active Directory, however, the original question was about synchronisation
between OpenLDAP and Active Directory.
There are also other potential solutions for synching passwords from AD to
OpenLDAP, but the original question precluded this answer ...
So, maybe the original poster would like to re-pose the question.
(I personally dislike using AD for Unix user account details, as other
features of LDAP-aware Unix clients are not available when using AD)
Regards,
Buchan
12:40 a.m.
2008/2/12, Buchan Milne <bgmilne(a)staff.telkomsa.net>:
On Monday 11 February 2008 20:12:17 अनुज Anuj Singh wrote:
> On Feb 11, 2008 2:28 PM, Razi Garbie <boneybastard(a)gmail.com> wrote:
> > Hi everyone,
> >
> > I've spent countless of hours trying to figure out how to sync
openLDAP
> > with my currently running windows/active directory, however.. i cant
find
> > any information on how this is done.
> >
> > Im currently running windows/AD which authenticates ~20users all
windows
> > boxes (obviously), however.. all windows users have accounts on the
linux
> > machines i run and that makes administrative tasks a bit messy, hence
i
> > have to make account changes on two different domains.
> >
> > The ideal setup is to setup setup a OpenLDAP server that is synced
with
> > windows active directory, so that my users can authenticate against
the
> > linux domain using their windows passwords.
>
> Yes it can be done, in my setup a user can login to linux machine ,
> this user does not exists on linux, beside it exists on windows active
> directory.
There are a number of well-known solutions to authenticating Unix servers
to
Active Directory, however, the original question was about synchronisation
between OpenLDAP and Active Directory.
There are also other potential solutions for synching passwords from AD to
OpenLDAP, but the original question precluded this answer ...
So, maybe the original poster would like to re-pose the question.
(I personally dislike using AD for Unix user account details, as other
features of LDAP-aware Unix clients are not available when using AD)
Regards,
Buchan
Perhaps i should try to explain my situation a little bit better,
What i want to achive is corss-platform authentication between windows/AD +
workstations and linux (debian, centOS and redhat).
So i thought it would work to setup a OpenLDAP server on one of the boxes
and clients on the other servers, and sync the OpenLDAP with my currently
running Windows/AD, ive looked at various solutions on how to authenticate
linux machines in Win/AD with winbind etc.
But i didnt really like that, considering i plan to run daemons/services
that use ldap for authentication.
I hope i dont confuse things...
Bottom line is that i need a solution for cross platform authentication, so
my users can authenticate to windows, to their linux shells and daemons
running on the linux boxes (all using the same account information)
// Thanks for your help, Razi
4:27 a.m.
Razi Garbie wrote:
What i want to achive is corss-platform authentication between
windows/AD + workstations and linux (debian, centOS and redhat).
So i thought it would work to setup a OpenLDAP server on one of the
boxes and clients on the other servers, and sync the OpenLDAP with my
currently running Windows/AD, ive looked at various solutions on how to
authenticate linux machines in Win/AD with winbind etc.
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve
from OpenLDAP with nss_ldap. No syncing needed for that, just different
ldap.conf files for pam_ldap and nss_ldap.
Ciao, Michael.
11:50 p.m.
2008/2/13, Michael Ströder <michael(a)stroeder.com>:
Razi Garbie wrote:
>
> What i want to achive is corss-platform authentication between
> windows/AD + workstations and linux (debian, centOS and redhat).
> So i thought it would work to setup a OpenLDAP server on one of the
> boxes and clients on the other servers, and sync the OpenLDAP with my
> currently running Windows/AD, ive looked at various solutions on how to
> authenticate linux machines in Win/AD with winbind etc.
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve
from OpenLDAP with nss_ldap. No syncing needed for that, just different
ldap.conf files for pam_ldap and nss_ldap.
Ciao, Michael.
I see, so a slapd is not needed?
If thats the case, do you perhaps know if i'll be able to authenticate
services that use LDAP:// and not PAM?
Could someone please give me links so that i can read up upon how to setup
OpenLDAP to authenticate against Windows/AD.
12:46 a.m.
Razi Garbie wrote:
2008/2/13, Michael Ströder <michael(a)stroeder.com
<mailto:michael@stroeder.com>>:
Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve
from OpenLDAP with nss_ldap. No syncing needed for that, just different
ldap.conf files for pam_ldap and nss_ldap.
I see, so a slapd is not needed?
In this scenario authentication would be done directly with AD. But you
also might want to retrieve the NIS information (what's in /etc/passwd)
via LDAP. It depends whether you also want that information to be stored
in AD or not.
If thats the case, do you perhaps know if i'll be able to
authenticate
services that use LDAP:// and not PAM?
You can have a mixture of applications directly checking a password via
LDAP and some using PAM or some directly using Kerberos or...
But take into account operational and security considerations.
Could someone please give me links so that i can read up upon how to
setup OpenLDAP to authenticate against Windows/AD.
Use SASL GSSAPI for using Kerberos with AD to authenticate clients which
bind to slapd.
Ciao, Michael.
5774
days inactive
5778
days old
openldap-technical@openldap.org
7 comments
5 participants
participants (5)
-
Buchan Milne -
Dieter Kluenter -
Michael Ströder -
Razi Garbie -
अनुज Anuj Singh