Hi. I have two Samba 4 Domain Controller in the LAN network, and I need to join some Windows clients from the DMZ network. I read the document at https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD#Authentication_against_AD_through_openLDAP_proxy and it tells about an OpenLDAP proxy to authenticate some external services through it, but I need to join some Windows clients so I think I cannot use it, can I? So could you advise me what a best practice could be? Thank you very much! Bye
Hello, Am 28.08.2015 um 21:03 schrieb shacky:> I read the document at > https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD#Authentication_against_AD_through_openLDAP_proxy > and it tells about an OpenLDAP proxy to authenticate some external > services through it, but I need to join some Windows clients so I > think I cannot use it, can I? > > So could you advise me what a best practice could be?If you have to join DMZ machines, the openLDAP proxy won't work, because it would just provide access to underlaying LDAP. However it is not able to understand setting e. g. AD permissions or other things the classic LDAP don't have. Regards, Marc
On 29/08/15 19:09, Marc Muehlfeld wrote:> Hello, > > Am 28.08.2015 um 21:03 schrieb shacky: >> I read the document at >> https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD#Authentication_against_AD_through_openLDAP_proxy >> and it tells about an OpenLDAP proxy to authenticate some external >> services through it, but I need to join some Windows clients so I >> think I cannot use it, can I? >> >> So could you advise me what a best practice could be? > If you have to join DMZ machines, the openLDAP proxy won't work, because > it would just provide access to underlaying LDAP. However it is not able > to understand setting e. g. AD permissions or other things the classic > LDAP don't have. > > > Regards, > Marc > >Microsoft has a doc for this, but being microsoft they don't call it a DMZ, it's a 'perimeter network' see: http://www.microsoft.com/en-us/download/details.aspx?id=3957#tm Rowland