[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using AD authentication with an external LDAP for authorization

"Stefan Stefansson" <stefan@ru.is> writes:

> Hi.
> I'm new to the world of LDAP and directory servers and trying to
> figure out the best solution to my problem.
> This isn't exactly OpenLDAP specific, I still haven't figured out
> whether OpenLDAP is the right thing to use or whether there is any
> good solution to my situation.
> So I hope you forgive me for asking this here but I'm hoping to tap
> into the collective knowledge of this list for ideas.
> My situation is that I have taken over the systems administration of a
> group of Linux servers for the Computer Science department at my
> school. The school has an IT department but we would like to be
> independent of them, both to relieve them of as much as possible of
> our demands (which can be quite demanding and unorhadox) as well as
> having a more agile environment here (again touching on the fact that
> they are overloaded).
> The IT department mostly runs Microsoft solutions and the whole domain
> is controlled by Active Directory. I'm not familiar with AD myself so
> I don't know whether it's a particularly "good setup" or not but I
> have no reason to believe otherwise.
> So, what I want to do is set up our own directory server but of course
> I would like to use some open source solutions... or at the very
> least, something that runs on Linux. There I would like to control
> authorization for different users to different servers, clusters, web
> systems (such as wiki webs, Subversion, bug tracking software etc). On
> the other hand, I would prefer that authentication be somehow
> delegated to the AD server for any user who is on the domain to avoid
> duplicating data. However, I still would like to be able to define
> additional users in my LDAP directory server that are not necessarily
> on the domain. So my setup would have to be able to distinguish
> whether authentication should be handled by my LDAP server or the AD
> server. I would think this could happen in two ways: 1) user
> credentials are replicated over to the LDAP server from AD which means
> that LDAP would handle all authentication or 2) LDAP server would
> delegate authentication for users it cannot authenticate to the AD
> server but otherwise it would handle the users it knows. I assume 1 is
> difficult to do as sending the user credentials out from AD is
> probably considered bad practice (if it is at all possible that is).
> The backup plan would be for me to get administrative rights to some
> part of the AD server and then we'd use only that server for all
> authentication and authorization requirements but as I said, we would
> like to be as independent from their services as possible in addition
> to not being particularly fond of having to use AD (is there any sort
> of a usable web access to that? would this mean I would have to have a
> Windows box set up to perform any administrative tasks?).
> This is my situation. Sorry for the log winded explanation. Does
> anybody have an idea of how to accomplish something like this? I'd be
> happy to hear about any case studies or white papers on similar
> subjects (I can't believe I'm the first one to want to do this). I'm
> also open for suggestions on what tools to use. Open source is not a
> requirement (but preferred).

In principle authentication via active directory can be achieved by
means of some different backends, the most appropriate would probably
be slapd-ldap(5) and some rewriting, but slapd-perl(5) or
slapd-sock(5) could also be included, depending on your skills.
I would suggest to read http://www.openldap.org/doc/admin24/ first and
set up a test environment in order to get acquainted with directory


Dieter KlÃnter | Systemberatung
sip: +49.180.1555.7770535