[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP interop with AD questions

On Thu, 2008-11-13 at 19:27 -0600, Christopher Barry wrote:
> Hi All,
> I'm still researching methods, and trying to find the best way to
> integrate our Unix hosts with AD in a way that makes sense for us.
> The goal is to have a single user/password db in AD, and have all of the
> old NIS map data in OpenLDAP. SSO would be a nice to have feature too.
> I've read more stuff than I can count, but I'm still more than a little
> confused.
> The translucent overlay looks cool (if it'll even work with AD), but I'm
> not sure it's the right answer for us with respect to keeping the maps
> local to OpenLDAP.
> Any suggestions or doc links you can post?


AD is basically a combination of ldap and kerberos. ldap contains the
user database (authorization) and kerberos the passwords

I've successfully managed to replicate the 'kind of' Active Directory
server in our network using above mentioned (ldap + kerberos) however
this is running on Unix host and there are no Windows clients on the

SSO is often misunderstood. 'Single Sign On' means not only that all the
passwords + password policies are the same across all the services (e.g.
SSH, HTTP, IMAP ....) but user typically needs to provide the
authentication information (password) only once (during logon to his
workstation) and all the rest of the services are authenticated without
the need to provide the (same) password again. This is achievable only
using Kerberos (TGT ticket requested on logon, all the other tickets
granted via TGT)

There is a way on Unix (Linux) to use AD kerberos as a KDC. unix
workstations act then as a klients to AD KDC and therefore, you achieve
single user/password database on Linux/Windows clients.

There are few gotchas: Microsoft Kerberos implementation is quite
different from the MIT on Heimdal one, it's not impossible though.
Quite a lot of docs around there about this subject.

The major problem is that client support on Linux is not great at the
time: - especially disconnected operations.

Windows on first logon to AD caches all the user auth. information and
even if offline (not on LAN where it can reach AD) user is still able to
log on and work on his laptop using AD credentials

On Linux you can achieve this more or less, but it's far from perfect. 
you can use several combinations of libpam-krb5, libpam-ccreds, nscd,
nss-updatedb, libnss-ldap achieving variable results in different
My solution (to make it bullet-proof) is in syncing local (UNIX) auth
with Kerberos creds. 

There are few proprietary client software for linux to join and auth to
AD: just to mention one: likewise-open. Did not test the quality of
these as my setup is different (no AD, have my own Unix auth. server)

To finish: you are trying to achieve holy grail of network administrator
in mixed environments. good luck with it. you need to concentrate more
on Kerberos than LDAP (not leveraging the importance LDAP in this

Best Wishes,

Martin Simovic
Systems Administrator
Concurrent Thinking

> Thanks,
> -C