Hi,
This is my first experience with ldap, there are lots of different approaches to configuring openldap and I'm a bit lost.
I'm about to setup a windows domain server with AD for some 50 windows pc's. The windows pc's will use the windows server directly and that's settled.
However I also have lots of different services running on linux servers which require the same user authentication and could be configured to use ldap based authentication instead of each having their own account database. It's a hassle to maintain accounts for each service separately.
Also, if the windows server should be unavailable, I'd still like to be able to login and use the services running on linux servers.
So I imagine having openldap act a slave server (like in DNS) the for the windows active directory service's "User" space.
Is this possible and which configuration path should I take? The manual mentions proxy configurations as well as something called chaining.
Please point me to the correct chapter and any other hints are appreciated.
Regards,
On Fri, Apr 24, 2009 at 03:00:07PM +0300, Aleksander Kamenik wrote:
I'm about to setup a windows domain server with AD for some 50 windows pc's. The windows pc's will use the windows server directly and that's settled.
Also, if the windows server should be unavailable, I'd still like to be able to login and use the services running on linux servers.
So I imagine having openldap act a slave server (like in DNS) the for the windows active directory service's "User" space.
Is this possible and which configuration path should I take? The manual mentions proxy configurations as well as something called chaining.
A proxy config would be fairly easy, but would not continue working when the AD server goes down.
You cannot setup OpenLDAP as a simple slave of AD, as AD does not support the same replication process that OpenLDAP uses. Also, AD does not store passwords in LDAP: this is done by Kerberos.
It is reasonably easy to synchronise data from AD to OpenLDAP using a sync tool or a scripting language. The problem is to capture the passwords.
One option here is to install a password-change interceptor on the AD server(s) (all of them) and have it pass the new passwords to OpenLDAP. You then tell the users that they have to change their passwords before getting access to the Linux servers.
Another option is to setup the OpenLDAP server to do proxy auth to the AD server and then to store the password locally if the authentication succeeds. You would still need the password interceptor to make sure that you don't keep old passwords in the OpenLDAP store. I am not sure whether the proxy-and-keep function has made it into a distributed version yet. It was discussed in this thread among others:
http://markmail.org/message/7lfitkilcog6cupj#query:+page:1+mid:mhidasifceeyv...
Andrew
openldap-technical@openldap.org
-
Aleksander Kamenik -
Andrew Findlay