[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using AD authentication with an external LDAP for authorization


I'm new to the world of LDAP and directory servers and trying to
figure out the best solution to my problem.

This isn't exactly OpenLDAP specific, I still haven't figured out
whether OpenLDAP is the right thing to use or whether there is any
good solution to my situation.

So I hope you forgive me for asking this here but I'm hoping to tap
into the collective knowledge of this list for ideas.

My situation is that I have taken over the systems administration of a
group of Linux servers for the Computer Science department at my
school. The school has an IT department but we would like to be
independent of them, both to relieve them of as much as possible of
our demands (which can be quite demanding and unorhadox) as well as
having a more agile environment here (again touching on the fact that
they are overloaded).

The IT department mostly runs Microsoft solutions and the whole domain
is controlled by Active Directory. I'm not familiar with AD myself so
I don't know whether it's a particularly "good setup" or not but I
have no reason to believe otherwise.

So, what I want to do is set up our own directory server but of course
I would like to use some open source solutions... or at the very
least, something that runs on Linux. There I would like to control
authorization for different users to different servers, clusters, web
systems (such as wiki webs, Subversion, bug tracking software etc). On
the other hand, I would prefer that authentication be somehow
delegated to the AD server for any user who is on the domain to avoid
duplicating data. However, I still would like to be able to define
additional users in my LDAP directory server that are not necessarily
on the domain. So my setup would have to be able to distinguish
whether authentication should be handled by my LDAP server or the AD
server. I would think this could happen in two ways: 1) user
credentials are replicated over to the LDAP server from AD which means
that LDAP would handle all authentication or 2) LDAP server would
delegate authentication for users it cannot authenticate to the AD
server but otherwise it would handle the users it knows. I assume 1 is
difficult to do as sending the user credentials out from AD is
probably considered bad practice (if it is at all possible that is).

The backup plan would be for me to get administrative rights to some
part of the AD server and then we'd use only that server for all
authentication and authorization requirements but as I said, we would
like to be as independent from their services as possible in addition
to not being particularly fond of having to use AD (is there any sort
of a usable web access to that? would this mean I would have to have a
Windows box set up to perform any administrative tasks?).

This is my situation. Sorry for the log winded explanation. Does
anybody have an idea of how to accomplish something like this? I'd be
happy to hear about any case studies or white papers on similar
subjects (I can't believe I'm the first one to want to do this). I'm
also open for suggestions on what tools to use. Open source is not a
requirement (but preferred).

Best regards, Stefan Freyr.