[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap challenge



Marc Patermann wrote:
Hi,

Andrew Findlay schrieb (27.04.2015 21:06 Uhr):
On Mon, Apr 27, 2015 at 06:27:39PM +0000, Ross, Daniel B. wrote:

All of my customers so far have chosen the parallel approach, as that
allows the Unix LDAP to continue working if it loses access to AD.
Ideally this includes installing a module on the AD Domain Controllers
that detects password changes and forwards them immediately to the Unix
LDAP. I have generally used Microsoft's SFU password-capture module for
this as AD admins seem happier to install Microsoft code than things from
other sources. It does have its problems though, and the code quality
of the Unix end that they provide leaves a lot to be desired. I believe
newer AD versions come with an updated version of this built in, but I
have not tested it.
I don't know about AD, I googled a bit around. I found "Identity
Management for UNIX: Password Synchronization" as a successor of SFU, is
this true?
Is this the thing MS is currently offering:
https://technet.microsoft.com/en-us/library/cc776179%28v=ws.10%29.aspx
Using NIS and installing a PAM module on every machine!?

Not the only way.

http://www.openldap.org/lists/openldap-devel/200811/msg00045.html

You can create a slapd overlay that talks to the AD password synch module to do two-way password synchronization.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/