[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap as slave server to windows AD

On Fri, Apr 24, 2009 at 03:00:07PM +0300, Aleksander Kamenik wrote:

> I'm about to setup a windows domain server with AD for some 50 windows 
> pc's. The windows pc's will use the windows server directly and that's 
> settled.

> Also, if the windows server should be unavailable, I'd still like to be 
> able to login and use the services running on linux servers.
> So I imagine having openldap act a slave server (like in DNS) the for the 
> windows active directory service's "User" space.
> Is this possible and which configuration path should I take? The manual 
> mentions proxy configurations as well as something called chaining.

A proxy config would be fairly easy, but would not continue working
when the AD server goes down.

You cannot setup OpenLDAP as a simple slave of AD, as AD does not
support the same replication process that OpenLDAP uses. Also, AD does
not store passwords in LDAP: this is done by Kerberos.

It is reasonably easy to synchronise data from AD to OpenLDAP using a
sync tool or a scripting language. The problem is to capture the

One option here is to install a password-change interceptor on
the AD server(s) (all of them) and have it pass the new passwords
to OpenLDAP. You then tell the users that they have to change their
passwords before getting access to the Linux servers.

Another option is to setup the OpenLDAP server to do proxy auth to the
AD server and then to store the password locally if the authentication
succeeds. You would still need the password interceptor to make sure
that you don't keep old passwords in the OpenLDAP store.
I am not sure whether the proxy-and-keep function has made it into a
distributed version yet. It was discussed in this thread among others:


|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |