[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Combining AD and Local DB into single 'virtual' tree



Mailing Lists wrote:
Hello,
I posted a question along these lines a few months ago and received replies,
but never understood enough to implement them. I've done more research in the
meantime and hopefully have learned enough to ask this question intelligently.
I'm working on a project proposal for integrating Linux machines into a
Windows environment. The client is very concerned about their AD environment
and wants to do as little modification to it as possible (preferably none).

What I'd like to propose is that we set up an OpenLDAP server that chains to
AD. If possible, I would like to use the OpenLDAP client's credentials to bind
to AD instead of having a dedicated user for the OpenLDAP <--> AD connection.
I believe this can be accomplished with the 'rebind-as-user' option of the
ldap backend (slapd-ldap). Is this correct?

No. That is not what the slapd-ldap(5) manpage says for "rebind-as-user". Go RTFM. What you want is idassert-bind.

Now here's where I think it gets tricky. We also need to be able to store
information for the Linux boxes in LDAP (samba winbind mappings for example),
but keep it separate from AD. I know that part of this would require a
dedicated LDAP database backend (slapd-bdb) to be configured, but what
confuses me is how to combine these two separate entities (the AD proxy and
this bdb database) into one 'virtual' backend that clients can query against.
Is this where slapd-translucent would come into play?

slapo-translucent has only one purpose - to override the attributes of an entry that exists on a remote server with values stored in a local server. If the entry doesn't exist on the remote server, then slapo-translucent is not what you want.

Finally, if I want to create OUs in the Linux LDAP database that contain user
DNs from AD, is that possible?

Anything is possible. Dunno if it makes sense though.

Any guidance, example solutions, or suggested reading is greatly appreciated.
-Dave

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/