On Wed, 2004-02-18 at 04:11, Adrian Gschwend wrote: > Hi all, > > First, sorry for posting this mail in a Samba-list, I first posted it to > [EMAIL PROTECTED] which should be a general LDAP discussion list and also to > OpenLDAP mailinglist. So far I didn't got a single reply in any of those > lists but that's probably because this issue is much more AD-related than > plain LDAP. And we know that beside MS the Samba developers know most > about AD :-) So here we go, maybe anyone got some ideas: > > We completely redesign our NOS-Setup at our University at the moment. So > far we have four different network operating systems: Solaris, Linux, > Windows AD and Windows with NDS (Novell Directory Server). We now plan to > have an LDAP server on top and the NOS should connect to the LDAP Server. > This should be the base for single sign on for every service. Because we > want to keep the top OS-Independent AD on top is *not* an option, we > decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server > gets feeded via some kind of meta-database.
This sounds like an interesting setup. > What we are looking for: > In our best-case scenario AD would simply delegate all requests for userid > and passwords to another LDAP server which in our case would be OpenLDAP > and not another AD server (with AD it should work if I understand that > correctly). We tried to connect AD and OpenLDAP via a crossRef Object, > according to Carter's OpenLDAP book (Chapter 9) this should be quite easy. > Unfortunately it doesn't work so far, AD never connects our LDAP server > according to the logfiles. However, the link is not using TLS at the > moment so that might be a problem. You can't make AD talk to an external LDAP server, as AD is based on it's internal database - LDAP is just a view. > Even if we get that to work I'm still not sure if we can delgate > user/password requests like this. Has anyone successfuly implemented > something like this? Is it possible after all or would I need a > combination of Kerberos/LDAP to do this? Why are you using AD? (There are many good answers to this question). Samba 3.0 acts as a PDC, and the same password database can be used to implement a unix Kerberos system. (I have a demonstration patch that does just that). This works by extending Heimdal's LDAP password backend. > I searched about every source I > could find (Mailinglist archives, newsgroups, google...) but I couldn't > find anyone who implemented something like this. If a user is changing the > password in AD we also would like to change that directly in OpenLDAP, so > the next login on the Unix box would use the new password without big > delay. I found a solution in the MS Knowledge Base about how to do it vice > versa but the question is can I trigger a script from AD when the > pwd-changes? Password sync scripts will always cause trouble. You would be better to choose one server to hold the passwords, and hack everything else to talk to it. > In worst case we would have to sync the user databases between LDAP and AD > but that sucks, especially if you want to change the password on one > system... I found solutions like http://acctsync.sourceforge.net/ in the > net but I would prefer our approach a lot :) > > BTW, pGina is not an option btw because we would loose authorisation for > all the other AD services like this. So why is a Samba PDC not an option. You loose kerberos authentication for windows (for the moment at least), but NTLM does work. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba