[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP, Active Directory Replication ...
There is a large issue with the password synchronization.
The userPassword attribute is not to be found anywhere that I can
see in AD. For replication with other implementations of LDAP
this is a big problem.
The only visible interface to the password information is ADSI.
At the University here we did not want to try and jump through too
many hoops to use OpenLDAP->AD (or AD->OpenLDAP) replication.
We would have loved direct replication but decided rather to
synchronize users and groups between a PDC and the main OpenLDAP
server. AD would then replicate across the AD side of things and
OpenLDAP would replicate across the OpenLDAP side of things.
The solution and policies that we are holding to are as follows:
---------
solutions
---------
- Do not replicate AD<->OpenLDAP but rather synchronize based on time
stamps and a shared attribute, the SID
AD has a unique SID for every entry in the database. Upon
account or group creation (through a dedicated web tool),
an account is also created on the AD side. AD automagically
generates a unique SID so immediately we query AD for the
same record that was just created and store the SID in the
main OpenLDAP server. This coupled with timestamp search
filters gets helps us synchronize the newly modified accounts
for an interval we currently have defined as 30 minutes.
- Use Services for Unix 2.0 on Windows 2000 + Redhat Linux for
password synchronization.
Services for Unix is a MS product running around $175.
It comes with a precompiled pam modules that interfaces with
a listener that resides on the 2000 or NT4 side of things.
We modified the source code to implement nss rather than write
to the passwd/shadow file directly (as a side note, the RSA
libraries were NOT included with the source that MS distributed
so we modified their source to also use a public implementation
of tripple DES, libDES from ftp://ftp.zedz.net)
- Use of SAMBA for mapping home directories with Samba HEAD 2.1 pre
coupled with LDAP for home directory mapping.
<elaboration upon request>
--------
policies
--------
- All password changes must come on the UNIX side.
This is because we need to also set the lmpassword and ntpassword for
Samba. with SFU2.0 it IS possible to allow password changes with
the ssod (Single sign on daemon) that is also distributed with
source (and again also needed modification to use libDES and implement
writing the password to LDAP instead of the passwd/shadow file)
I hope this helps at least a little bit!
On Thu, 29 Jun 2000, Chris G. Sellers wrote:
> What about the encryption type? If UNIX uses MD5, crypt, bigcrypt, etc,
> does not AD still use it's own encryption type?
>
> Sellers
> >
> > You can accomplish this task using ADSI. Check out:
> >
> > http://www.4guysfromrolla.com/webtech/030100-1.shtml
> >
> > julian
> >
> > > -----Original Message-----
> > > From: Chris G. Sellers [SMTP:sellers@Oakland.edu]
> > > Sent: Thursday, June 29, 2000 10:32 AM
> > > To: ejbsys@altavista.com
> > > Cc: openldap-general@OpenLDAP.org
> > > Subject: Re: OpenLDAP, Active Directory Replication ...
> > >
> > > If you get this to work, please please please, post it on the mailing
> > > list.
> > >
> > > There has been talk of this for a while and I never saw the results.
> > >
> > > MS did open up more of the Kerberos in NT5 recently...
> > >
> > > >
> > > > I have an OpenLDAP v3 installed in a Red Hat Linux 6.1
> > > > I tried replication between two linux machines using
> > > > slurpd and configuring slapd.conf in the appropiate
> > > > way and everything went ok.
> > > >
> > > > Now, I want to make replication of the LDAP directory
> > > > installed in one of the Linux Machines, to a
> > > > Windows 2000 machine (what Microsoft documentation
> > > > calls 'Active Directory Sinchronization').
> > > >
> > > > I did not find useful information on HOW TO DO THAT
> > > > in Microsoft's site. Could someone help me and tell
> > > > me how to do it, or where can I find an step-by-step
> > > > guide ? I would apreciatte that.
> > > >
> > > > Ernest.
> > > >
> > > >
> > > > _______________________________________________________________________
> > > >
> > > > $1 million in prizes! 20 daily instant winners.
> > > > AltaVista Rewards: Click here to win!
> > > > http://shopping.altavista.com/e.sdc?e=3
> > > >
> > > > _______________________________________________________________________
> > > >
> > > >
> > > >
> > >
> > >
> > > <(/|\-/|\-/|\-/|\-/|\/-\|/-\|/-\|/|\-/|\-/|/-\|/|\-/|\-/|\/-\|/-\|/-\)>
> > >
> > > Sellers , Chris G.
> > > Scientific Programmer Analyst
> > > Information & Instructional Technology
> > > Oakland University - Rochester, Michigan 48309-4401
> > > Phone: (248) 370.2016 FAX: (248) 370.4251
> > >
> >
>
>
> <(/|\-/|\-/|\-/|\-/|\/-\|/-\|/-\|/|\-/|\-/|/-\|/|\-/|\-/|\/-\|/-\|/-\)>
>
> Sellers , Chris G.
> Scientific Programmer Analyst
> Information & Instructional Technology
> Oakland University - Rochester, Michigan 48309-4401
> Phone: (248) 370.2016 FAX: (248) 370.4251
>
>
>
--
David Bartle
Directory Services and Database Administrator
Azusa Pacific University
captin@apu.edu
--
"recursion (ree-kurzhin) (n) - A mathematical function that referrs to
itself within its own definition. see recursion"