I want to keep the password part in the current LDAP so we don't have to do a mass reset for all parties. And I didn't want to move the LDAP to an MS product. Thanks for the information.
On Fri, Jun 6, 2014 at 8:08 PM, Stewart Walters stewart.walters@gmail.com wrote:
Just spit balling here, because I'm not exactly sure I completely understand your usage scenario.
You say you want AD to use OpenLDAP as the authentication source, I presume so that Windows workstation logins can authenticate against an identity in OpenLDAP?
If Group Policy/File and Printer management and other aspects of AD aren't hugely important to the control and management of your workstation fleet, you could deploy pGina (pgina.org) to every workstation. pGina will replace the windows Ctrl + Alt + Del style login screen with one that will allow users to authenticate directly to an identity in OpenLDAP.
If that's not your scenario (or if you need the Group Policy/File and Print stuff), as Peter correctly asserts - Samba 3/4 can be used as a drop in replacement for AD. It can also be configured to use Kerberos and OpenLDAP on the backend to control identity and authentication. Without having to learn Samba (which by extension, often requires you to know low level concepts of AD itself), you could also consider a FreeIPA deployment which may or may not assist with simplifying the configuration of Samba4.
Another way would be to use an IDAM product such as Microsoft Forefront Identity Manager (or the Quest or NetIQ equivalents) to replicate user identities and passwords in AD over to OpenLDAP (and vice versa). I suspect however that an IDAM project is probably too over-engineered/too expensive for your needs.
Hope that helps,
Stewart
openldap-technical@openldap.org