Paul Reemeijer
2016-Jan-23 09:47 UTC
[Samba] Best way to sync Samba AD 4 LDAP with OpenLDAP
Hello all, At this moment we are still using Samba 3 for our Windows clients but we are in need for an Active directory. So the best solution for us looks like migrating to Samba 4 AD. But... we have a very robust OpenLDAP setup that we want to use for our default user administration and don't want to give this up. We really would like to syncing information from and to Samba LDAP but my question is: Does anyone have a good solution for us to sync the Samba 4 AD LDAP with our OpenLDAP setup? (default userinfo including passwords sync) Kind regards, Paul
Rowland penny
2016-Jan-23 12:51 UTC
[Samba] Best way to sync Samba AD 4 LDAP with OpenLDAP
On 23/01/16 09:47, Paul Reemeijer wrote:> Hello all, > > At this moment we are still using Samba 3 for our Windows clients but we are in need for an Active directory. So the best solution for us looks like migrating to Samba 4 AD. > But... we have a very robust OpenLDAP setup that we want to use for our default user administration and don't want to give this up. > > We really would like to syncing information from and to Samba LDAP but my question is: > Does anyone have a good solution for us to sync the Samba 4 AD LDAP with our OpenLDAP setup? (default userinfo including passwords sync) > > Kind regards, Paul >I don't think you can 'sync' info between openldap and AD, you could try running openldap as a cache/proxy. Could you expand on 'we have a very robust OpenLDAP setup that we want to use for our default user administration', this is what AD is for, or do you mean that you have various programs that auth to ldap ? if so what are they ? Rowland
Rowland penny
2016-Jan-25 09:46 UTC
[Samba] Best way to sync Samba AD 4 LDAP with OpenLDAP
On 25/01/16 08:03, Paul Reemeijer wrote:> Goodmorning Rowland, > > Thank you for your reaction. > > Our OpenLDAP setup is maintained by a lot of people and in-house made tools; so that is why my first solution that I want to present for a new Samba solution to use OpenLDAP as our place to manage users. We also have everyting (services, workplaces and servers) make use of our ldap service. > We want to use Samba AD mainly for the AD and GPO. > > I hope this is somehow a solution else I need to reevaluate the project. > > Kind regards, > Paul Reemeijer > > >So you want to manage your users in ldap and use AD, or to put it another way, your want to have your users in ldap and in AD,. I think you may be missing the point here, the whole idea behind AD is centralisation, all your users and groups exist in AD and your workstations, services etc look there to find them. You will have problems trying to keep your users etc in sync between two databases, take passwords for instance, in ldap they are easily visible and copyable, whilst in AD, they are hidden and read-only. I think that you need to think the other way i.e. how do I make my existing setup work with AD, instead of how do I make AD work with my existing setup. You will also have another problem, you will need to join your windows workstations to your new AD domain, once this is done, they will only look to AD for authentication, they will ignore the ldap servers. Rowland
Paul Reemeijer
2016-Jan-27 07:46 UTC
[Samba] Best way to sync Samba AD 4 LDAP with OpenLDAP
Hello Rowland, Thanks for your reactions. We will internally discuss it how to implement an AD solution. Kind regards, Paul ----- Original Message ----- From: "Rowland penny" <rpenny at samba.org> To: "sambalist" <samba at lists.samba.org> Sent: Monday, 25 January, 2016 10:46:21 Subject: Re: [Samba] Best way to sync Samba AD 4 LDAP with OpenLDAP On 25/01/16 08:03, Paul Reemeijer wrote:> Goodmorning Rowland, > > Thank you for your reaction. > > Our OpenLDAP setup is maintained by a lot of people and in-house made tools; so that is why my first solution that I want to present for a new Samba solution to use OpenLDAP as our place to manage users. We also have everyting (services, workplaces and servers) make use of our ldap service. > We want to use Samba AD mainly for the AD and GPO. > > I hope this is somehow a solution else I need to reevaluate the project. > > Kind regards, > Paul Reemeijer > > >So you want to manage your users in ldap and use AD, or to put it another way, your want to have your users in ldap and in AD,. I think you may be missing the point here, the whole idea behind AD is centralisation, all your users and groups exist in AD and your workstations, services etc look there to find them. You will have problems trying to keep your users etc in sync between two databases, take passwords for instance, in ldap they are easily visible and copyable, whilst in AD, they are hidden and read-only. I think that you need to think the other way i.e. how do I make my existing setup work with AD, instead of how do I make AD work with my existing setup. You will also have another problem, you will need to join your windows workstations to your new AD domain, once this is done, they will only look to AD for authentication, they will ignore the ldap servers. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba