Hi everyone,
If this post here is in poor taste, please pardon my interruption. It's just that I figured those here would have a high probability of trying to do as I am trying to do.
Background: I'm a debian-head from the early 90's, but I'm new to OpenLDAP, and this is my first post here. I'm about halfway done with Mastering OpenLDAP, and I've been lurking here for a month or so, trying to understand how things work, and looking for questions like mine. I also just read Kerberos, the definitive guide as a primer into understanding how my team can make everyone 'Just Get Along(tm)' in a multi-platform global enterprise, while leveraging open source projects.
Rough Goals: * We're exploring ways in which we can have a single user/group database for everything, everywhere in our domain. * Additionally, we want as 'SSO' an environment as possible. * We also want to keep, and even extend all the other NIS functionality we use today - only without the NIS limitations. * We also need to be able to phase it in, or even have it overlap with our current situation for a period, so it's not an all-or-nothing kind of change.
The Parts Bin: There's a bunch of parts around, and they all kind of fit together, but to my current understanding anyway, seem to create a few different incomplete solutions, such as: * Samba/Winbind/Kerberos (possibly backed by OpenLDAP) * OpenLDAP/Kerberos with trusts to AD * AD using 2003R2 and possibly custom schema modifications if required.
My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome?
Thanks to all for your thoughts and insight on this,
Regards, Christopher Barry Systems Engineer QLogic
"Christopher Barry" christopher.barry@qlogic.com writes:
Hi everyone,
[..]
The Parts Bin: There's a bunch of parts around, and they all kind of fit together, but to my current understanding anyway, seem to create a few different incomplete solutions, such as:
- Samba/Winbind/Kerberos (possibly backed by OpenLDAP)
No, this is not possible, ask on a samba list for reasons.
- OpenLDAP/Kerberos with trusts to AD
yes, this can be done,
- AD using 2003R2 and possibly custom schema modifications if required.
this could be done
My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome?
If you administer a homogenous windows network, keep AD as primary domain controller (just KDC) and configure samba as backup controller. If you administer a heterogenous network, get, in addition to the above mentioned design, OpenLDAP plus heimdal kerberos to administer Unix hosts and users and create a trust relation to AD.
-Dieter
-----Original Message----- From: openldap-technical-bounces+christopher.barry=qlogic.com@openld ap.org [mailto:openldap-technical-bounces+christopher.barry=qlogic.co
m@openldap.org] On Behalf Of Dieter Kluenter
Sent: Tuesday, September 23, 2008 1:11 PM To: openldap-technical@openldap.org Subject: Re: RFT0001 : Request For Thoughts
"Christopher Barry" christopher.barry@qlogic.com writes:
Hi everyone,
[..]
The Parts Bin: There's a bunch of parts around, and they all kind of fit
together, but
to my current understanding anyway, seem to create a few different incomplete solutions, such as:
- Samba/Winbind/Kerberos (possibly backed by OpenLDAP)
No, this is not possible, ask on a samba list for reasons.
- OpenLDAP/Kerberos with trusts to AD
yes, this can be done,
- AD using 2003R2 and possibly custom schema modifications if required.
this could be done
My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome?
If you administer a homogenous windows network, keep AD as primary domain controller (just KDC) and configure samba as backup controller. If you administer a heterogenous network, get, in addition to the above mentioned design, OpenLDAP plus heimdal kerberos to administer Unix hosts and users and create a trust relation to AD.
-Dieter
-- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Thanks Dieter.
Why heimdal as opposed to MIT? Is is better at AD interop, or are you thinking about crypto restrictions?
Also, would you recommend keeping all user/group data in AD proper, but all other NIS related stuff in OpenLDAP?
Regards, -C
Hi Christopjer,
"Christopher Barry" christopher.barry@qlogic.com writes:
"Christopher Barry" christopher.barry@qlogic.com writes:
[...]
My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome?
If you administer a homogenous windows network, keep AD as primary domain controller (just KDC) and configure samba as backup controller. If you administer a heterogenous network, get, in addition to the above mentioned design, OpenLDAP plus heimdal kerberos to administer Unix hosts and users and create a trust relation to AD.
[...]
Thanks Dieter.
Why heimdal as opposed to MIT? Is is better at AD interop, or are you thinking about crypto restrictions?
The reason for heimdal achtually is that credentials can be stored in OpenLDAP, an other argument is better threading beaviour.
Also, would you recommend keeping all user/group data in AD proper, but all other NIS related stuff in OpenLDAP?
This really depends on the whole design, I wouldn't give any recommendation here.
-Dieter
openldap-technical@openldap.org
-
Christopher Barry -
Dieter Kluenter