Re: Windwos 2003 Active Directory CentOS 5.3 OpenLDAP Server Sync

[Jonathan Clarke <jonathan@phillipoux.net>]

On 15/09/2009 10:53, MMoj@timocom.com wrote:
> Hello everyone,
>
> I´m having a hard time. I should enable the sync of an AD (W2K3) and an
> LDAP (CentOS 5.3) server based on the mentioned System. I realy don´t
> know how to establish a sync of user Account, Groups, etc.
>
> I have a test envirometn running with W2K3 AD and CentOS 5.3 LDAP witch
> Kerberos for SSO (Single-Sign-ON) but the Information are still located
> in the AD not in the LDAP and I want to Authenticate against the LDAP
> server. I realy don´t know how to configure the AD / LDAP so sync, or to
> replicate the AD into LDAP.
>
> Can someone help me out with a good "How-To" or maybe some config files,
> etc.

Hi,

It sounds like you're facing several problems here:
1) How to sync user accounts and groups from AD to OpenLDAP
2) How to authenticate users

To address 1, you will need a tool that reads from AD, and writes to 
OpenLDAP. Many people write their own scripts, although I recommend you 
look at http://lsc-project.org.

To address 2, you need to decide how you want authentication to work.

You could setup OpenLDAP to redirect BIND attemps to the AD, via LDAP 
(using saslauthd and spasswd), keeping passwords in AD.

If you want to be able to authenticate on OpenLDAP without requiring 
access to the AD servers, you'll want passwords in OpenLDAP too. It's 
not generally possible to extract them from AD, so you'll need to set 
new ones in OpenLDAP, and maybe sync them to your AD.

Good luck,
Jonathan