[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP centralized authentication with Active Directory



On Tue, Jan 13, 2009 at 02:30:27PM +0700, Duong Pham Tung (FIM HN) wrote:

> My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
>  
> Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand. 

Do you mean that you want to have a single OpenLDAP server that
refers authentication to the three backend servers?

Does each AD server manage a separate non-overlapping part of
the tree? If so, you may be able to use OpenLDAP with back-meta
to glue the three servers together into a single service without
having to copy any data across.

In more complex cases you may have to copy data into OpenLDAP.
10,000 users is not very many, but you certainly would not want
to copy the entries by hand. You may need to write some scripts
to synchronise the data. The scripts could put an attribute into
each entry in OpenLDAP to say which AD server the user came from.
You could then use Pass-Through Authentication:

	http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------