Hi,
I'm setting up a HA environment with centralized user administration. I'm currently considering the following setup
For MS clients, authenticate directly to AD For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy
The goals for the setup are: 1. One login for all networked nodes 2. Centralized user authentication 3. Single resource for user information 4. Highly available authentication service 5. No serious performance impact 6. Alternative login when service is unavailable 7. Easily scalable 8. Easy rollout
1, 2, 3 and 7 are achieved using AD 4 can be achieved by a combination of a loadbalancer for each service and multiple instances of each service not sure if 5 is realistic, but it should be possible I suppose 6 is no problem for any host 8 can be done through scripting
What I would like to know now is: Is it advisable to set it up like this? Are there 'better' ways to achieve the same result. (performance, availability, ease of maintenance) Would it be better to let radius talk directly to AD, possibly even using the MS radius server. Is it advisable to use an OpenLDAP proxy for *nix authentication or can I just as well use AD directly.
The main reasons for me to assume this setup is the most suitable are: AD replicates by default OpenLDAP proxy does not need to replicate OpenLDAP is more 'compatible' with the *nix clients FreeRadius does not need to replicate All can be loadbalanced easily.
The main question I want to know from the OpenLDAP list is: "how well does the OpenLDAP proxy perform?"
For the remainder, if anyone wants to shed some light on this, I would greatly appreciate it.
Thanks a lot in advance.
Regards,
Serge Fonville
openldap-technical@openldap.org