Hello, I posted a question along these lines a few months ago and received replies, but never understood enough to implement them. I've done more research in the meantime and hopefully have learned enough to ask this question intelligently. I'm working on a project proposal for integrating Linux machines into a Windows environment. The client is very concerned about their AD environment and wants to do as little modification to it as possible (preferably none).
What I'd like to propose is that we set up an OpenLDAP server that chains to AD. If possible, I would like to use the OpenLDAP client's credentials to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD connection. I believe this can be accomplished with the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this correct? Now here's where I think it gets tricky. We also need to be able to store information for the Linux boxes in LDAP (samba winbind mappings for example), but keep it separate from AD. I know that part of this would require a dedicated LDAP database backend (slapd-bdb) to be configured, but what confuses me is how to combine these two separate entities (the AD proxy and this bdb database) into one 'virtual' backend that clients can query against. Is this where slapd-translucent would come into play? Finally, if I want to create OUs in the Linux LDAP database that contain user DNs from AD, is that possible?
Any guidance, example solutions, or suggested reading is greatly appreciated. -Dave
Am Fri, 1 Mar 2013 16:32:17 -0500 schrieb Mailing Lists lists@masterofpenguins.com:
Hello, I posted a question along these lines a few months ago and received replies, but never understood enough to implement them. I've done more research in the meantime and hopefully have learned enough to ask this question intelligently. I'm working on a project proposal for integrating Linux machines into a Windows environment. The client is very concerned about their AD environment and wants to do as little modification to it as possible (preferably none).
What I'd like to propose is that we set up an OpenLDAP server that chains to AD. If possible, I would like to use the OpenLDAP client's credentials to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD connection. I believe this can be accomplished with the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this correct? Now here's where I think it gets tricky. We also need to be able to store information for the Linux boxes in LDAP (samba winbind mappings for example), but keep it separate from AD. I know that part of this would require a dedicated LDAP database backend (slapd-bdb) to be configured, but what confuses me is how to combine these two separate entities (the AD proxy and this bdb database) into one 'virtual' backend that clients can query against. Is this where slapd-translucent would come into play? Finally, if I want to create OUs in the Linux LDAP database that contain user DNs from AD, is that possible?
Any guidance, example solutions, or suggested reading is greatly appreciated.
As usual, there are several approaches. Either add back-ldap or some scripting backend like back-perl in order to request AD, but in any case you have to include the AD schema into your subschema. Or get some sort of meta directory, there are a few available.
-Dieter
Mailing Lists wrote:
Hello, I posted a question along these lines a few months ago and received replies, but never understood enough to implement them. I've done more research in the meantime and hopefully have learned enough to ask this question intelligently. I'm working on a project proposal for integrating Linux machines into a Windows environment. The client is very concerned about their AD environment and wants to do as little modification to it as possible (preferably none).
What I'd like to propose is that we set up an OpenLDAP server that chains to AD. If possible, I would like to use the OpenLDAP client's credentials to bind to AD instead of having a dedicated user for the OpenLDAP <--> AD connection. I believe this can be accomplished with the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this correct?
No. That is not what the slapd-ldap(5) manpage says for "rebind-as-user". Go RTFM. What you want is idassert-bind.
Now here's where I think it gets tricky. We also need to be able to store information for the Linux boxes in LDAP (samba winbind mappings for example), but keep it separate from AD. I know that part of this would require a dedicated LDAP database backend (slapd-bdb) to be configured, but what confuses me is how to combine these two separate entities (the AD proxy and this bdb database) into one 'virtual' backend that clients can query against. Is this where slapd-translucent would come into play?
slapo-translucent has only one purpose - to override the attributes of an entry that exists on a remote server with values stored in a local server. If the entry doesn't exist on the remote server, then slapo-translucent is not what you want.
Finally, if I want to create OUs in the Linux LDAP database that contain user DNs from AD, is that possible?
Anything is possible. Dunno if it makes sense though.
Any guidance, example solutions, or suggested reading is greatly appreciated. -Dave
openldap-technical@openldap.org