I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers. I'm able to query against our AD servers by hand using: ldapsearch -x -LLL -E pr=200/noprompt -h ouradhost -D "CN=Administrator,OU=IT Department,OU=Users,OU=My Business,DC=ourdomain,DC=dotcom" -W -b "dc=ourdomain, dc=dotcom" -s sub "(cn=*)"
And that gives me the entire tree, but I haven't made much progress from there. Honestly, I am unsure what 'right' resulting architecture would be: have each unix (linux, CentOS) system, using nss_ldap, authenticate against AD directly, or build an openldap replica of the AD contents (just user accounts) and have the unix boxes authenticate against that. Because of the AD layout, I'm not sure nss_ldap is even configurable enough to map users from the mess of groups within AD to one layer of users. The AD layout is messy.. the users are broken up in to different groups ("IT Department", "Executives", etc., etc) within AD, and it isn't straightforward on how to do a query just to get all users (regardless of the group).
(unfortunately, I have no ability at this time to re-work the AD architecture, nor do I take responsibility for its current layout)
Thanks! -Rich
On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote:
I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers.
You really should be looking at Samba and winbind. There we handle all the messy details of dealing with AD.
If you want (say, for reasons of reducing dependence on AD) to use your own replicated directory, then this is quite possible (and OpenLDAP would be a fine DS for that purpose), but this gets painful with passwords etc.
Andrew Bartlett
Andrew Bartlett wrote:
On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote:
I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers.
You really should be looking at Samba and winbind. There we handle all the messy details of dealing with AD.
If you want (say, for reasons of reducing dependence on AD) to use your own replicated directory, then this is quite possible (and OpenLDAP would be a fine DS for that purpose), but this gets painful with passwords etc.
Interesting.. I was not aware that there was a pam hook for user/password auth.
If I were to do an OpenLDAP replica, it would be read-only, which should make things a little easier (I hope). Again, if I went down that route, I am not sure exactly how to proceed (write a perl script to perform the right ldapsearch to pull all of the users entries to build the ldif file which then gets slurped in to openldap? write a perl script to use the ldap lib to grab each entry and insert it in to openldap?)
-Rich
On Wed, 2008-05-07 at 10:56 -0400, Rich West wrote:
Andrew Bartlett wrote:
On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote:
I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers.
You really should be looking at Samba and winbind. There we handle all the messy details of dealing with AD.
If you want (say, for reasons of reducing dependence on AD) to use your own replicated directory, then this is quite possible (and OpenLDAP would be a fine DS for that purpose), but this gets painful with passwords etc.
Interesting.. I was not aware that there was a pam hook for user/password auth.
Yes, pam_winbind and nss_winbind are key parts of what makes winbind what it is.
If you want something that just works, then this is the route to move down.
If I were to do an OpenLDAP replica, it would be read-only, which should make things a little easier (I hope). Again, if I went down that route, I am not sure exactly how to proceed (write a perl script to perform the right ldapsearch to pull all of the users entries to build the ldif file which then gets slurped in to openldap? write a perl script to use the ldap lib to grab each entry and insert it in to openldap?)
I think it's all been done before, but the challenge is getting the passwords. You end up either with passing these along (simple bind -> krb5 kinit in the OpenLDAP server) or with nasty password sync stuff.
Andrew Bartlett
Andrew Bartlett wrote:
On Wed, 2008-05-07 at 10:56 -0400, Rich West wrote:
Andrew Bartlett wrote:
On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote:
I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum...
We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers.
You really should be looking at Samba and winbind. There we handle all the messy details of dealing with AD.
If you want (say, for reasons of reducing dependence on AD) to use your own replicated directory, then this is quite possible (and OpenLDAP would be a fine DS for that purpose), but this gets painful with passwords etc.
Interesting.. I was not aware that there was a pam hook for user/password auth.
Yes, pam_winbind and nss_winbind are key parts of what makes winbind what it is.
If you want something that just works, then this is the route to move down.
There's a further consideration - AD is one of the slowest authentication systems out there. If every authentication is relayed by winbind and verified by AD, the authentication load may be greater than AD can handle. In that case, it's smarter to pursue the replication approach.
If I were to do an OpenLDAP replica, it would be read-only, which should make things a little easier (I hope). Again, if I went down that route, I am not sure exactly how to proceed (write a perl script to perform the right ldapsearch to pull all of the users entries to build the ldif file which then gets slurped in to openldap? write a perl script to use the ldap lib to grab each entry and insert it in to openldap?)
I think it's all been done before, but the challenge is getting the passwords. You end up either with passing these along (simple bind -> krb5 kinit in the OpenLDAP server) or with nasty password sync stuff.
Given the low frequency of password changes (relative to every other type of operation) it's still better to sync from AD to OpenLDAP than to talk directly to AD.
Depending on which version of AD is in use, some variant of Microsoft's DirSync would be the starting point. That plus their password-sync agent is all you'd need.
openldap-technical@openldap.org
-
Andrew Bartlett -
Howard Chu -
Rich West