Thomas Charron <[EMAIL PROTECTED]> writes: > True, however, it would seem Kenny seems to intend to not require > any auth traffic to have to go over the wire to the remote site. So > in reality, when authenticating via LDAP, he'd want to replicate the > LDAP server is TWO locations.
Not so! You have an LDAP server in both locations, both of which are children of the ou=corp,ou=foo,ou=bar domain and allow *any member* of that super-domain access. You manage the accounts for these domains centrally on the super-domain server, and occassionally push out the entire hierarchy to both sub-domain servers. Everyone authenticates locally. (why is this so difficult to grasp? I feel like this is the third or fourth time I've explained this.) > His primary question, however, is if he can have 2 Samba servers > providing authentication for one single Active Directory domains. > This way both sites would acknowledge the users authentication > within the domain. And the answer I keep giving is no, not really, but sort of if you do it with a tiered configuration. > Am I right here Kenny, or did I misread the question? No, you're not understanding the answers. >> A member of a Windows Domain authenticates against it's Domain >> Controller. Hence, my answer to set it up hierarchically using LDAP. > > > But he wants to know if he can have multiple domain controllers > distributed accross two physical locations, authing off of their own copies > of the LDAP tree. > > It answers his question, but not clearly.. ;-) And the answer is yes, but that would require cross-domain authentication in the case that someone from ou=here got to ou=there. But if you configure your LDAP acls such that 'ou=*, ou=corp, ou=foo, ou=bar' can access whatever, then you never need to cross domains. >> LDAP becomes you're authenticating agent in your scheme, since there >> is no "DC" per se, just a Samba server configured to hand off requests >> to an LDAP server. Have local DCs which authenticate users configured >> such that either DC will allow users from both "domains" to access >> everything via LDAP. > > > He doesn't want 2 domains. He wants 1. Then he can't do what he wants. What's the problem with two domains? Technically, they're *sub* domains, and for all intents and purposes, he manages them as one. The users have no clue what domainn their in, nor do they care. >> > The reason for this is that people will travel between here and >> > there quite often, >> Yeah, so. Just set the ACLs up to allow anyone in 'ou=*, ou=corp, >> dc=foo, dc=com' access to whatever you want everyone to access. > > That would work, but still require maintaining two seperate directories. > Seems it'd be much easier to just have one and replicate the LDAP server. This statement seems to indicate a fundamental lack of knowledge of LDAP, hierarchical design, and, well, just about everything else we're talking about here. -- Seeya, Paul _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
