Hi !
Currently, we've got an OpenLDAP which acts as a master and contains 20000+ users and groups, we want to keep it. CIO ask us to deploy Windows with AD connected to our master OpenLDAP. I've googled a lot and I don't find any clean solutions like replica (OpenLDAP -> AD). Another solution could be use of referrals on the AD but I doubt ? Unclean solutions found are use of LSC or MIIS/FIM which are not real-time...
A little help would be cool :)
Best regards, Sylvain
Le 2 avril 2012 13:48, Nick Milas nick@eurobjects.com a écrit :
On 2/4/2012 2:29 μμ, Sylvain wrote:
Currently, we've got an OpenLDAP which acts as a master..., we want to
keep it.
CIO ask us to deploy Windows with AD connected to our master OpenLDAP.
Perhaps a bit off-topic, but why would you need Win/AD too?
Yes, it's a bit off-topic. The purpose of the project is to give windows share to users. Ok this sucks, why not classic samba/ldap... CIO don't want and is the boss hmmm... If there is other possibility to connect Windows authentication / authorization to OpenLDAP directly, I'm open... :)
Sylvain
On 2/4/2012 3:49 μμ, Sylvain wrote:
If there is other possibility to connect Windows authentication / authorization to OpenLDAP directly, I'm open... :)
You can check: http://pgina.org/
If others have good/bad experience with it, I would be interested myself!
Nick
Le 2 avril 2012 16:22, Nick Milas nick@eurobjects.com a écrit :
On 2/4/2012 3:49 μμ, Sylvain wrote:
If there is other possibility to connect Windows authentication /
authorization to OpenLDAP directly, I'm open... :)
You can check: http://pgina.org/
If others have good/bad experience with it, I would be interested myself!
Nick
Very nice ! I will try this and make a return.
Thanks, Sylvain
On 2/4/2012 9:57 μμ, Sylvain wrote:
Very nice ! I will try this and make a return.
Note however the following (copying from: http://pgina.org/faq.html):
"Do shared services and devices authenticate users via pGina? - No. pGina is intended as a replacement for the *interactive* login process. Access to network shared items like printers, drives/folders, etc on another machine - do not use the portion of the OS that pGina provides replacements for. That said, the 3.x architecture does allow for this kind of thing in the future, by moving much (arguably all) actual processing into a dedicated service, *any* part of the OS which can be augmented, could potentially validate credentials using the pGina framework. For things like shared services, this would require an LSA module. This is outside the scope of the pGina project, but we've tried to make it flexible enough that experimentation in this area could be done!"
So, it may not be suitable for your case where authentication (against LDAP) to shared network resources is needed.
Therefore, if you don't want SAMBA (I am interested to hear of any arguments against its use), there might be no other alternative than to set up Win/AD.
Nick
Le 2 avril 2012 23:12, Nick Milas nick@eurobjects.com a écrit :
Note however the following (copying from: http://pgina.org/faq.html):
"Do shared services and devices authenticate users via pGina? - No. pGina is intended as a replacement for the *interactive* login process. Access to network shared items like printers, drives/folders, etc on another machine
- do not use the portion of the OS that pGina provides replacements for.
That said, the 3.x architecture does allow for this kind of thing in the future, by moving much (arguably all) actual processing into a dedicated service, *any* part of the OS which can be augmented, could potentially validate credentials using the pGina framework. For things like shared services, this would require an LSA module. This is outside the scope of the pGina project, but we've tried to make it flexible enough that experimentation in this area could be done!"
So, it may not be suitable for your case where authentication (against LDAP) to shared network resources is needed.
Therefore, if you don't want SAMBA (I am interested to hear of any arguments against its use), there might be no other alternative than to set up Win/AD.
Nick
After tons of tractations, CIO accept the idea of Samba / OpenLDAP (OMG !)
so I will not test pgina which, in final, doesn't mature enough to fulfill requirements. I will keep that product in my head for the next time...
Thanks for the help ! Sylvain
Hi Sylvain,
Just a word to mention that LSC is able to handle on the fly synchronization.
Regards,
Hi !
http://lsc-project.org/wiki/documentation/2.0/configuration/service/sourceas...
This looks nice ! I will have a look deeper if there is no more clean and "automatic" solution.
Thanks for advice !
Le 2 avril 2012 13:52, Sébastien Bahloul sebastien.bahloul@gmail.com a écrit :
Hi Sylvain,
Just a word to mention that LSC is able to handle on the fly synchronization.
Regards,
Sebastien BAHLOUL Ldap Synchronization Connector : http://lsc-project.org
2012/4/2 Sylvain debian.roxx@gmail.com
Hi !
Currently, we've got an OpenLDAP which acts as a master and contains 20000+ users and groups, we want to keep it. CIO ask us to deploy Windows with AD connected to our master OpenLDAP. I've googled a lot and I don't find any clean solutions like replica (OpenLDAP -> AD). Another solution could be use of referrals on the AD but I doubt ? Unclean solutions found are use of LSC or MIIS/FIM which are not real-time...
A little help would be cool :)
Best regards, Sylvain
openldap-technical@openldap.org
-
Nick Milas -
Sylvain -
Sébastien Bahloul