On Thu, 2008-11-13 at 19:27 -0600, Christopher Barry wrote:

Hi All,

I'm still researching methods, and trying to find the best way to integrate our Unix hosts with AD in a way that makes sense for us.

The goal is to have a single user/password db in AD, and have all of the old NIS map data in OpenLDAP. SSO would be a nice to have feature too. I've read more stuff than I can count, but I'm still more than a little confused.

The translucent overlay looks cool (if it'll even work with AD), but I'm not sure it's the right answer for us with respect to keeping the maps local to OpenLDAP.

Any suggestions or doc links you can post?

Hi,

AD is basically a combination of ldap and kerberos. ldap contains the user database (authorization) and kerberos the passwords (authentication)

I've successfully managed to replicate the 'kind of' Active Directory server in our network using above mentioned (ldap + kerberos) however this is running on Unix host and there are no Windows clients on the network.

SSO is often misunderstood. 'Single Sign On' means not only that all the passwords + password policies are the same across all the services (e.g. SSH, HTTP, IMAP ....) but user typically needs to provide the authentication information (password) only once (during logon to his workstation) and all the rest of the services are authenticated without the need to provide the (same) password again. This is achievable only using Kerberos (TGT ticket requested on logon, all the other tickets granted via TGT)

There is a way on Unix (Linux) to use AD kerberos as a KDC. unix workstations act then as a klients to AD KDC and therefore, you achieve single user/password database on Linux/Windows clients.

There are few gotchas: Microsoft Kerberos implementation is quite different from the MIT on Heimdal one, it's not impossible though. Quite a lot of docs around there about this subject.

The major problem is that client support on Linux is not great at the time: - especially disconnected operations.

Windows on first logon to AD caches all the user auth. information and even if offline (not on LAN where it can reach AD) user is still able to log on and work on his laptop using AD credentials

On Linux you can achieve this more or less, but it's far from perfect. you can use several combinations of libpam-krb5, libpam-ccreds, nscd, nss-updatedb, libnss-ldap achieving variable results in different situations. My solution (to make it bullet-proof) is in syncing local (UNIX) auth with Kerberos creds.

There are few proprietary client software for linux to join and auth to AD: just to mention one: likewise-open. Did not test the quality of these as my setup is different (no AD, have my own Unix auth. server)

To finish: you are trying to achieve holy grail of network administrator in mixed environments. good luck with it. you need to concentrate more on Kerberos than LDAP (not leveraging the importance LDAP in this matter)

Best Wishes,

Martin Simovic Systems Administrator Concurrent Thinking

Thanks, -C

On Thu, Nov 13, 2008 at 07:27:44PM -0600, Christopher Barry wrote:

The goal is to have a single user/password db in AD, and have all of the old NIS map data in OpenLDAP. SSO would be a nice to have feature too. I've read more stuff than I can count, but I'm still more than a little confused.

You might want to consider pass-through authentication:

http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat...

That would allow you to keep non-Windows data in OpenLDAP but still use AD to check passwords.

Doing tricks like that does leave you open to more failure modes: loss of connectivity to AD, failure of the SASL daemon etc.

Andrew