Re: AD passwd in OpenLDAP

[Buchan Milne <bgmilne@obsidian.co.za>]

On 20 Apr 2004, Turbo Fredriksson wrote:

> I have a customer that have been bitten by the "must upgrade because
> there's newer versions" bug (RH8 is to old it seems - go figure) who
> authenicate the Linux clients to an AD using LibNSS/LDAP and
> LibPAM/{LDAP,Krb5}.
> 

Well, considering RH8 is no longer supported by updates ..

> This required the SFU (M$ 'version' of the AD4UNIX), which is _EXTREAMLY_
> unstable!
> 
> 
> I was thinking that maybe I should setup a 'slave' KDC (MIT Kerberos
> OR Heimdal - don't care that much in this regard) which manually or
> (preferably) automaticly was syncing against the primary AD.
> 
> Now, since UNIX needs the RFC2307 (which the SFU provides to AD), I
> can't do a 100% sync (I don't want the RFC2307 stuff in AD), so some
> filtering needs to take place. The most 'troublesome' (?) would probably
> be the userPassword field.
> 
> It was a while since I looked into what an AD object looks like, but
> I remember that there where a lot of stuff that's not needed by UNIX
> clients.
> 
> The important thing is that it should be possible to change the password
> in ANY environment (Windows OR Linux/UNIX), and the effect should be
> done in both places (AD and the slave KDC). Is it possible to use the
> AD eqvivalens of the 'userPassword' field directly in OpenLDAP, and
> is there any scripts etc that can do this syncronization?
> 

Why don't you just use Winbind (from samba3), and authenticate as if you 
were a Windows machine in the AD.

If you have multiple client machines, and consistent uid's are important, 
you may need to set up one OpenLDAP server to hold the "Idmap" entries 
(mappings between Windows SID and uid/gid).

Regards,
Buchan