[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, PADL and querying multiple ADs

On 15/06/2010 16:39, Markus wrote:
Hello list,

I'm on SLES 11 and the mission is to allow Active Directory (AD) users to
log in to Linux. The difficulty is that those users are stored in two
separate ADs which have no connection to each other. Both ADs are running
on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS
(/etc/ldap.conf) implementation to map the UNIX attributes that are stored
in the AD to local values (homedir, shell, UID/GID etc.). So far so good,
everything works fine (getent passwd, PAM logins).

Now, when searching for a solution on how to query two ADs via LDAP at the
same time it seems like OpenLDAP supports multiple LDAP search bases, and
there was also a mentioning of the translucent overlay feature, so I
suppose using OpenLDAP I could fetch the UNIX attributes from both ADs

Yes, you can use OpenLDAP as a proxy to the two ADs via LDAP. Checkout the slapd-meta man page (meta is a backend that can take several remote LDAP proxy databases).

The translucent overlay would allow you to store extra information on your OpenLDAP server that's not in the AD directories. It doesn't sound like this is necessary for you, but I may be wrong.

Hope this helps,

What completely puzzles me is the NSS/PAM configuration and how PADL NSS
and OpenLDAP interact respectively not interact:

- If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS
(/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent
passwd" and "getent group" and of course PAM logins to work. E.g. getent
passwd has to give me back all users from BOTH ADs that have UNIX
attributes stored. But since there seems to be only the PADL NSS module in
existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the
OpenLDAP variant. Shouldn't there be something like
/lib/libnss_openldap.so and shouldn't I be able to add something like
"passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I don't
understand why.

- So that leaves me with the idea of *somehow* fetching the UNIX
attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to
store this information in, and then using the PADL NSS module to query it.
I'm not sure if this is the right approach or if this is even technically
feasible. Is there maybe a easier way with less overhead (e.g. no OpenLDAP
server required).

Thank you very much for any hints or pointers that you might share with
me! I'm really lost...

Best regards

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org