[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD + Openldap integration

On Wed, 2008-05-07 at 10:56 -0400, Rich West wrote:
> Andrew Bartlett wrote:
> > On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote:
> >   
> >> I am not entirely sure where to ask this particular question, and I
> >> apologize in advance if this is not the correct forum...
> >>
> >> We have an AD infrastructure and we'd like to get all of our unix boxes
> >> to authenticate against the AD servers. 
> >>     
> >
> > You really should be looking at Samba and winbind.  There we handle all
> > the messy details of dealing with AD. 
> >
> > If you want (say, for reasons of reducing dependence on AD) to use your
> > own replicated directory, then this is quite possible (and OpenLDAP
> > would be a fine DS for that purpose), but this gets painful with
> > passwords etc. 
> Interesting.. I was not aware that there was a pam hook for
> user/password auth.

Yes, pam_winbind and nss_winbind are key parts of what makes winbind
what it is. 

If you want something that just works, then this is the route to move

> If I were to do an OpenLDAP replica, it would be read-only, which should
> make things a little easier (I hope).  Again, if I went down that route,
> I am not sure exactly how to proceed (write a perl script to perform the
> right ldapsearch to pull all of the users entries to build the ldif file
> which then gets slurped in to openldap? write a perl script to use the
> ldap lib to grab each entry and insert it in to openldap?)

I think it's all been done before, but the challenge is getting the
passwords.  You end up either with passing these along (simple bind ->
krb5 kinit in the OpenLDAP server) or with nasty password sync stuff.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part