[Samba] A bit OT: LDAP and AD interoperability with LDAP as master

Adrian Gschwend ktk at netlabs.org
Tue Feb 17 17:11:28 GMT 2004

Hi all,

First, sorry for posting this mail in a Samba-list, I first posted it to
ldap at umich.edu which should be a general LDAP discussion list and also to
OpenLDAP mailinglist. So far I didn't got a single reply in any of those
lists but that's probably because this issue is much more AD-related than
plain LDAP. And we know that beside MS the Samba developers know most
about AD :-) So here we go, maybe anyone got some ideas:

We completely redesign our NOS-Setup at our University at the moment. So
far we have four different network operating systems: Solaris, Linux,
Windows AD and Windows with NDS (Novell Directory Server). We now plan to
have an LDAP server on top and the NOS should connect to the LDAP Server.
This should be the base for single sign on for every service. Because we
want to keep the top OS-Independent AD on top is *not* an option, we
decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server
gets feeded via some kind of meta-database.

Setting up the Linux and Solaris clients to use LDAP is not really a
problem. Connecting AD to LDAP looks much more complicated, after one week
of testing and experimenting it gets quite annoying ;)

What we are looking for:
In our best-case scenario AD would simply delegate all requests for userid
and passwords to another LDAP server which in our case would be OpenLDAP
and not another AD server (with AD it should work if I understand that
correctly). We tried to connect AD and OpenLDAP via a crossRef Object,
according to Carter's OpenLDAP book (Chapter 9) this should be quite easy.
Unfortunately it doesn't work so far, AD never connects our LDAP server
according to the logfiles. However, the link is not using TLS at the
moment so that might be a problem.

Even if we get that to work I'm still not sure if we can delgate
user/password requests like this. Has anyone successfuly implemented
something like this? Is it possible after all or would I need a
combination of Kerberos/LDAP to do this? I searched about every source I
could find (Mailinglist archives, newsgroups, google...) but I couldn't
find anyone who implemented something like this. If a user is changing the
password in AD we also would like to change that directly in OpenLDAP, so
the next login on the Unix box would use the new password without big
delay. I found a solution in the MS Knowledge Base about how to do it vice
versa but the question is can I trigger a script from AD when the

In worst case we would have to sync the user databases between LDAP and AD
but that sucks, especially if you want to change the password on one
system... I found solutions like http://acctsync.sourceforge.net/ in the
net but I would prefer our approach a lot :)

BTW, pGina is not an option btw because we would loose authorisation for
all the other AD services like this.

Any feedback/experiences about this subject is very much appreciated.



More information about the samba mailing list