[Samba] A bit OT: LDAP and AD interoperability with LDAP as master

Andrew Bartlett abartlet at samba.org
Thu Feb 19 07:51:48 GMT 2004

On Wed, 2004-02-18 at 04:11, Adrian Gschwend wrote:
> Hi all,
> First, sorry for posting this mail in a Samba-list, I first posted it to
> ldap at umich.edu which should be a general LDAP discussion list and also to
> OpenLDAP mailinglist. So far I didn't got a single reply in any of those
> lists but that's probably because this issue is much more AD-related than
> plain LDAP. And we know that beside MS the Samba developers know most
> about AD :-) So here we go, maybe anyone got some ideas:
> We completely redesign our NOS-Setup at our University at the moment. So
> far we have four different network operating systems: Solaris, Linux,
> Windows AD and Windows with NDS (Novell Directory Server). We now plan to
> have an LDAP server on top and the NOS should connect to the LDAP Server.
> This should be the base for single sign on for every service. Because we
> want to keep the top OS-Independent AD on top is *not* an option, we
> decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server
> gets feeded via some kind of meta-database.

This sounds like an interesting setup.

> What we are looking for:
> In our best-case scenario AD would simply delegate all requests for userid
> and passwords to another LDAP server which in our case would be OpenLDAP
> and not another AD server (with AD it should work if I understand that
> correctly). We tried to connect AD and OpenLDAP via a crossRef Object,
> according to Carter's OpenLDAP book (Chapter 9) this should be quite easy.
> Unfortunately it doesn't work so far, AD never connects our LDAP server
> according to the logfiles. However, the link is not using TLS at the
> moment so that might be a problem.

You can't make AD talk to an external LDAP server, as AD is based on
it's internal database - LDAP is just a view.

> Even if we get that to work I'm still not sure if we can delgate
> user/password requests like this. Has anyone successfuly implemented
> something like this? Is it possible after all or would I need a
> combination of Kerberos/LDAP to do this?

Why are you using AD?  (There are many good answers to this question).

Samba 3.0 acts as a PDC, and the same password database can be used to
implement a unix Kerberos system.  (I have a demonstration patch that
does just that).  This works by extending Heimdal's LDAP password

>  I searched about every source I
> could find (Mailinglist archives, newsgroups, google...) but I couldn't
> find anyone who implemented something like this. If a user is changing the
> password in AD we also would like to change that directly in OpenLDAP, so
> the next login on the Unix box would use the new password without big
> delay. I found a solution in the MS Knowledge Base about how to do it vice
> versa but the question is can I trigger a script from AD when the
> pwd-changes?

Password sync scripts will always cause trouble.  You would be better to
choose one server to hold the passwords, and hack everything else to
talk to it.  

> In worst case we would have to sync the user databases between LDAP and AD
> but that sucks, especially if you want to change the password on one
> system... I found solutions like http://acctsync.sourceforge.net/ in the
> net but I would prefer our approach a lot :)
> BTW, pGina is not an option btw because we would loose authorisation for
> all the other AD services like this.

So why is a Samba PDC not an option.  You loose kerberos authentication
for windows (for the moment at least), but NTLM does work.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040219/4ca839f5/attachment.bin

More information about the samba mailing list