Hi all, First, sorry for posting this mail in a Samba-list, I first posted it to [EMAIL PROTECTED] which should be a general LDAP discussion list and also to OpenLDAP mailinglist. So far I didn't got a single reply in any of those lists but that's probably because this issue is much more AD-related than plain LDAP. And we know that beside MS the Samba developers know most about AD :-) So here we go, maybe anyone got some ideas:
We completely redesign our NOS-Setup at our University at the moment. So far we have four different network operating systems: Solaris, Linux, Windows AD and Windows with NDS (Novell Directory Server). We now plan to have an LDAP server on top and the NOS should connect to the LDAP Server. This should be the base for single sign on for every service. Because we want to keep the top OS-Independent AD on top is *not* an option, we decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server gets feeded via some kind of meta-database. Setting up the Linux and Solaris clients to use LDAP is not really a problem. Connecting AD to LDAP looks much more complicated, after one week of testing and experimenting it gets quite annoying ;) What we are looking for: In our best-case scenario AD would simply delegate all requests for userid and passwords to another LDAP server which in our case would be OpenLDAP and not another AD server (with AD it should work if I understand that correctly). We tried to connect AD and OpenLDAP via a crossRef Object, according to Carter's OpenLDAP book (Chapter 9) this should be quite easy. Unfortunately it doesn't work so far, AD never connects our LDAP server according to the logfiles. However, the link is not using TLS at the moment so that might be a problem. Even if we get that to work I'm still not sure if we can delgate user/password requests like this. Has anyone successfuly implemented something like this? Is it possible after all or would I need a combination of Kerberos/LDAP to do this? I searched about every source I could find (Mailinglist archives, newsgroups, google...) but I couldn't find anyone who implemented something like this. If a user is changing the password in AD we also would like to change that directly in OpenLDAP, so the next login on the Unix box would use the new password without big delay. I found a solution in the MS Knowledge Base about how to do it vice versa but the question is can I trigger a script from AD when the pwd-changes? In worst case we would have to sync the user databases between LDAP and AD but that sucks, especially if you want to change the password on one system... I found solutions like http://acctsync.sourceforge.net/ in the net but I would prefer our approach a lot :) BTW, pGina is not an option btw because we would loose authorisation for all the other AD services like this. Any feedback/experiences about this subject is very much appreciated. cu Adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba