[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP+Active Directory



On Tue, 2008-01-22 at 01:14 -0800, Howard Chu wrote:
> Aiko Barz wrote:
> > Hello,
> >
> > is it possible to create an Active Directory forest with multible
> > subdomains and make those informations available for one Linux
> > machine?
> > Right now, we have one domain and it is possible to do authentication
> > against the Active Directory, while using OpenLDAP, PAM and Kerberos.
> >
> > But now, another department would like to have its own
> > directory/sub-domain. This means: uid=xyz will be located on
> > different directory servers within the Active Directory forest.
> > That means, there are UIDs with different BASEDNs.
> >
> > CN=userA,OU=Users,DC=example,DC=local from AD1 and
> > CN=userB,OU=Users,DC=sub,DC=example,DC=local from AD2 shall both be
> > able to access a Linux box via SSH. No problem?
> >
> > Regards,
> >      Aiko
> 
> There's nothing in OpenLDAP that would prevent this. This is a question more 
> suited to either the pam_ldap or nss_ldap mailing lists. The only problem is 
> you might have cn=userA representing two different users in both domains at 
> once, and you'll have to have some kind of policy for dealing with those 
> situations.

This is really the kind of thing that Samba and winbind does best.
Winbind understands the topology, and creates accounts like AD1\userA
and AD2\userB so that there is no possibility of conflict. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part