samba - Feb 2004 - A bit OT: LDAP and AD interoperability with LDAP as master

Hi all,

First, sorry for posting this mail in a Samba-list, I first posted it to
ldap@umich.edu which should be a general LDAP discussion list and also to
OpenLDAP mailinglist. So far I didn't got a single reply in any of those
lists but that's probably because this issue is much more AD-related than
plain LDAP. And we know that beside MS the Samba developers know most
about AD :-) So here we go, maybe anyone got some ideas:

We completely redesign our NOS-Setup at our University at the moment. So
far we have four different network operating systems: Solaris, Linux,
Windows AD and Windows with NDS (Novell Directory Server). We now plan to
have an LDAP server on top and the NOS should connect to the LDAP Server.
This should be the base for single sign on for every service. Because we
want to keep the top OS-Independent AD on top is *not* an option, we
decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server
gets feeded via some kind of meta-database.

Setting up the Linux and Solaris clients to use LDAP is not really a
problem. Connecting AD to LDAP looks much more complicated, after one week
of testing and experimenting it gets quite annoying ;)

What we are looking for:
In our best-case scenario AD would simply delegate all requests for userid
and passwords to another LDAP server which in our case would be OpenLDAP
and not another AD server (with AD it should work if I understand that
correctly). We tried to connect AD and OpenLDAP via a crossRef Object,
according to Carter's OpenLDAP book (Chapter 9) this should be quite easy.
Unfortunately it doesn't work so far, AD never connects our LDAP server
according to the logfiles. However, the link is not using TLS at the
moment so that might be a problem.

Even if we get that to work I'm still not sure if we can delgate
user/password requests like this. Has anyone successfuly implemented
something like this? Is it possible after all or would I need a
combination of Kerberos/LDAP to do this? I searched about every source I
could find (Mailinglist archives, newsgroups, google...) but I couldn't
find anyone who implemented something like this. If a user is changing the
password in AD we also would like to change that directly in OpenLDAP, so
the next login on the Unix box would use the new password without big
delay. I found a solution in the MS Knowledge Base about how to do it vice
versa but the question is can I trigger a script from AD when the
pwd-changes?

In worst case we would have to sync the user databases between LDAP and AD
but that sucks, especially if you want to change the password on one
system... I found solutions like http://acctsync.sourceforge.net/ in the
net but I would prefer our approach a lot :)

BTW, pGina is not an option btw because we would loose authorisation for
all the other AD services like this.

Any feedback/experiences about this subject is very much appreciated.

cu

Adrian

At 6:11 PM +0100 2/17/04, Adrian Gschwend wrote:
>Setting up the Linux and Solaris clients to use LDAP is not really a
>problem. Connecting AD to LDAP looks much more complicated, after one week
>of testing and experimenting it gets quite annoying ;)
Yeah this is totally OT.

SunONE has a sync tool for AD... there are some other meta directory 
products out there. Last I looked, though, OpenLDAP's back-meta 
wasn't up to this.

There's no point in religous wars about what's open and what's not. 
The point behind LDAP is that the standard is open- Who cares what's 
behind it... AD speaks LDAP, and AD makes an OK LDAP server for Unix 
hosts. If you have to support a lot of windows clients, it's the best 
choice right now, until someone comes up with a replacement.


-- 

http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
mbartosh@4am-media.com
303.517.0272
Denver, CO


"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche
         
			Think Different.

On Wed, 2004-02-18 at 04:11, Adrian Gschwend wrote:
> Hi all,
> 
> First, sorry for posting this mail in a Samba-list, I first posted it to
> ldap@umich.edu which should be a general LDAP discussion list and also to
> OpenLDAP mailinglist. So far I didn't got a single reply in any of
those
> lists but that's probably because this issue is much more AD-related
than
> plain LDAP. And we know that beside MS the Samba developers know most
> about AD :-) So here we go, maybe anyone got some ideas:
> 
> We completely redesign our NOS-Setup at our University at the moment. So
> far we have four different network operating systems: Solaris, Linux,
> Windows AD and Windows with NDS (Novell Directory Server). We now plan to
> have an LDAP server on top and the NOS should connect to the LDAP Server.
> This should be the base for single sign on for every service. Because we
> want to keep the top OS-Independent AD on top is *not* an option, we
> decided to go for OpenLDAP on Linux/BSD as master server. The LDAP-Server
> gets feeded via some kind of meta-database.
This sounds like an interesting setup.
> What we are looking for:
> In our best-case scenario AD would simply delegate all requests for userid
> and passwords to another LDAP server which in our case would be OpenLDAP
> and not another AD server (with AD it should work if I understand that
> correctly). We tried to connect AD and OpenLDAP via a crossRef Object,
> according to Carter's OpenLDAP book (Chapter 9) this should be quite
easy.
> Unfortunately it doesn't work so far, AD never connects our LDAP server
> according to the logfiles. However, the link is not using TLS at the
> moment so that might be a problem.
You can't make AD talk to an external LDAP server, as AD is based on
it's internal database - LDAP is just a view.
> Even if we get that to work I'm still not sure if we can delgate
> user/password requests like this. Has anyone successfuly implemented
> something like this? Is it possible after all or would I need a
> combination of Kerberos/LDAP to do this?
Why are you using AD?  (There are many good answers to this question).

Samba 3.0 acts as a PDC, and the same password database can be used to
implement a unix Kerberos system.  (I have a demonstration patch that
does just that).  This works by extending Heimdal's LDAP password
backend.
>  I searched about every source I
> could find (Mailinglist archives, newsgroups, google...) but I couldn't
> find anyone who implemented something like this. If a user is changing the
> password in AD we also would like to change that directly in OpenLDAP, so
> the next login on the Unix box would use the new password without big
> delay. I found a solution in the MS Knowledge Base about how to do it vice
> versa but the question is can I trigger a script from AD when the
> pwd-changes?
Password sync scripts will always cause trouble.  You would be better to
choose one server to hold the passwords, and hack everything else to
talk to it.  
> In worst case we would have to sync the user databases between LDAP and AD
> but that sucks, especially if you want to change the password on one
> system... I found solutions like http://acctsync.sourceforge.net/ in the
> net but I would prefer our approach a lot :)
> 
> BTW, pGina is not an option btw because we would loose authorisation for
> all the other AD services like this.
So why is a Samba PDC not an option.  You loose kerberos authentication
for windows (for the moment at least), but NTLM does work.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040219/4ca839f5/attachment.bin