[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Combining AD and Local DB into single 'virtual' tree

To: openldap-technical@openldap.org
Subject: Re: Combining AD and Local DB into single 'virtual' tree
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Sat, 2 Mar 2013 10:21:50 +0100
In-reply-to: <CAD-3wgp_bzy57_FaJKWhyn=XdKzsMF003nAOonczTz7Qz3-30w@mail.gmail.com>
Organization: AVCI
References: <CAD-3wgp_bzy57_FaJKWhyn=XdKzsMF003nAOonczTz7Qz3-30w@mail.gmail.com>

Am Fri, 1 Mar 2013 16:32:17 -0500
schrieb Mailing Lists <lists@masterofpenguins.com>:

> Hello,
> I posted a question along these lines a few months ago and received
> replies, but never understood enough to implement them. I've done more
> research in the meantime and hopefully have learned enough to ask this
> question intelligently.
> I'm working on a project proposal for integrating Linux machines into
> a Windows environment. The client is very concerned about their AD
> environment and wants to do as little modification to it as possible
> (preferably none).
> 
> What I'd like to propose is that we set up an OpenLDAP server that
> chains to AD. If possible, I would like to use the OpenLDAP client's
> credentials to bind to AD instead of having a dedicated user for the
> OpenLDAP <--> AD connection. I believe this can be accomplished with
> the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this
> correct? Now here's where I think it gets tricky. We also need to be
> able to store information for the Linux boxes in LDAP (samba winbind
> mappings for example), but keep it separate from AD. I know that part
> of this would require a dedicated LDAP database backend (slapd-bdb)
> to be configured, but what confuses me is how to combine these two
> separate entities (the AD proxy and this bdb database) into one
> 'virtual' backend that clients can query against. Is this where
> slapd-translucent would come into play? Finally, if I want to create
> OUs in the Linux LDAP database that contain user DNs from AD, is that
> possible?
> 
> Any guidance, example solutions, or suggested reading is greatly
> appreciated.

As usual, there are several approaches. Either add back-ldap or some
scripting backend like back-perl in order to request AD, but in any
case you have to include the AD schema into your subschema.
Or get some sort of meta directory, there are a few available.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E

References:
- Combining AD and Local DB into single 'virtual' tree
  - From: Mailing Lists <lists@masterofpenguins.com>

Prev by Date: Combining AD and Local DB into single 'virtual' tree
Next by Date: Please help: Any way to query host membership in nested ldap groups?
Index(es):
- Chronological
- Thread