[Samba] A bit OT: LDAP and AD interoperability with LDAP as master

Andrew Bartlett abartlet at samba.org
Thu Feb 19 07:51:48 GMT 2004 

On Wed, 2004-02-18 at 04:11, Adrian Gschwend wrote:
> Hi all,
> 
> First, sorry for posting this mail in a Samba-list, I first posted it to
> ldap at umich.edu which should be a general LDAP discussion list and also to
> OpenLDAP mailinglist. So far I didn't got a single reply in any of those
> lists but that's probably because this issue is much more AD-related than
> plain LDAP. And we know that beside MS the Samba developers know most
> about AD :-) So here we go, maybe anyone got some ideas:
> 
> We completely redesign our NOS-Setup at our University at the moment. So
> far we have four different network operating systems: Solaris, Linux,
> Windows AD and Windows with NDS (Novell Directory Server). We now plan to
> have an LDAP server on top and the NOS should connect to the LDAP Server.
> This should be the base for single sign on for every service. Because we
> want to keep the top OS-Independent AD on top is *not* an option, we
> decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server
> gets feeded via some kind of meta-database.

This sounds like an interesting setup.

> What we are looking for:
> In our best-case scenario AD would simply delegate all requests for userid
> and passwords to another LDAP server which in our case would be OpenLDAP
> and not another AD server (with AD it should work if I understand that
> correctly). We tried to connect AD and OpenLDAP via a crossRef Object,
> according to Carter's OpenLDAP book (Chapter 9) this should be quite easy.
> Unfortunately it doesn't work so far, AD never connects our LDAP server
> according to the logfiles. However, the link is not using TLS at the
> moment so that might be a problem.

You can't make AD talk to an external LDAP server, as AD is based on
it's internal database - LDAP is just a view.

> Even if we get that to work I'm still not sure if we can delgate
> user/password requests like this. Has anyone successfuly implemented
> something like this? Is it possible after all or would I need a
> combination of Kerberos/LDAP to do this?

Why are you using AD?  (There are many good answers to this question).

Samba 3.0 acts as a PDC, and the same password database can be used to
implement a unix Kerberos system.  (I have a demonstration patch that
does just that).  This works by extending Heimdal's LDAP password
backend.

>  I searched about every source I
> could find (Mailinglist archives, newsgroups, google...) but I couldn't
> find anyone who implemented something like this. If a user is changing the
> password in AD we also would like to change that directly in OpenLDAP, so
> the next login on the Unix box would use the new password without big
> delay. I found a solution in the MS Knowledge Base about how to do it vice
> versa but the question is can I trigger a script from AD when the
> pwd-changes?

Password sync scripts will always cause trouble.  You would be better to
choose one server to hold the passwords, and hack everything else to
talk to it.  

> In worst case we would have to sync the user databases between LDAP and AD
> but that sucks, especially if you want to change the password on one
> system... I found solutions like http://acctsync.sourceforge.net/ in the
> net but I would prefer our approach a lot :)
> 
> BTW, pGina is not an option btw because we would loose authorisation for
> all the other AD services like this.

So why is a Samba PDC not an option.  You loose kerberos authentication
for windows (for the moment at least), but NTLM does work.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040219/4ca839f5/attachment.bin

More information about the samba mailing list