[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP synchtonization with windows/Active Directory

Razi Garbie wrote:

2008/2/13, Michael Ströder <michael@stroeder.com <mailto:michael@stroeder.com>>:

    Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve
    from OpenLDAP with nss_ldap. No syncing needed for that, just different
    ldap.conf files for pam_ldap and nss_ldap.

I see, so a slapd is not needed?

In this scenario authentication would be done directly with AD. But you also might want to retrieve the NIS information (what's in /etc/passwd) via LDAP. It depends whether you also want that information to be stored in AD or not.

If thats the case, do you perhaps know if i'll be able to authenticate services that use LDAP:// and not PAM?

You can have a mixture of applications directly checking a password via LDAP and some using PAM or some directly using Kerberos or...

But take into account operational and security considerations.

Could someone please give me links so that i can read up upon how to setup OpenLDAP to authenticate against Windows/AD.

Use SASL GSSAPI for using Kerberos with AD to authenticate clients which bind to slapd.

Ciao, Michael.