On Tue, Apr 14, 2015 at 3:23 PM, Rich Megginson <rmegg...@redhat.com> wrote:
> On 04/14/2015 12:41 PM, Gary Algier wrote: > > Hello, > > I am in search of a tool to solve a new directory server issue in > relation to Active Directory... > > For a long time here at work, we have had LDAP as our authentication > source and nsswitch source for Solaris and Linux. First it was the Solaris > DS, later the 389 DS. When AD came along we started using the Active > Directory sync tool to sync passwords from the AD environment, but did not > try to store all the Posix attributes in AD. This has worked well. > > Recently, our company was bought by another that is implementing AD as > the only allowed authentication source. We will be assimilated. However, > they can't/won't store all the other stuff we need such as the Ethernet > addresses, automount points, etc. They also won't sync passwords. It > looks like we will still need a "real" direstory server. > > Does anyone have any ideas how to have two LDAP sources, one used for > authentication and possibly some user attributes, group membership, etc. > (AD) while using another (389?) for the rest of the stuff? > > > Perhaps a mix of sync and PAM pass through auth. With PAM pass through > auth, you configure a PAM stack to authenticate to AD, then configure 389 > PAM passthrough auth to use that PAM stack for authentication. > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/pam-pta.html > > Yes, that sound just like what I need. AD can handle the auth, I will manage the data (with a little help from sync). Now to setup a new server... Thanks Gary
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users