Pekka L.J. Jalkanen
2013-Feb-26 14:01 UTC
[Samba] Synchronising password of some AD users with an external LDAP?
I'm in a situation where I should establish an external (i.e. non-AD) LDAP directory for my employer for various web-based authentication purposes. I don't think that Samba--or Windows AD, for that matter--in and itself would be the best tool for this purpose; so far I've been reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision yet. Now however, it would be beneficial, even if not strictly speaking necessary, if I could automatically synchronise the passwords of certain accounts between that LDAP and our AD; most sensible solution here would probably be to do it between the LDAP users having a corresponding AD account belonging to a specific AD OU. Other than passwords, the accounts and their attributes themselves should stay separate. I know that if I were running a Windows AD, I could most likely accomplish what I want with--if nothing else--the 389 DS by using DS-provided Password Sync Service (see https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html for more information). However, our goal is to completely migrate our AD to Samba 4, so committing to any software that depends on the continued availability of a Windows DC simply won't do. How could I accomplish this synchronisation with Samba 4? Can anyone nudge me to the right direction? Or is possible at all? Pekka L.J. Jalkanen
Daniel Müller
2013-Feb-26 14:13 UTC
[Samba] Synchronising password of some AD users with an external LDAP?
Apache can authenticate against samba4 ads the same way as if it were openldap. http://wiki.samba.org/index.php/Samba4/beyond Good Luck Daniel ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Pekka L.J. Jalkanen Gesendet: Dienstag, 26. Februar 2013 15:01 An: samba at lists.samba.org Betreff: [Samba] Synchronising password of some AD users with an external LDAP? I'm in a situation where I should establish an external (i.e. non-AD) LDAP directory for my employer for various web-based authentication purposes. I don't think that Samba--or Windows AD, for that matter--in and itself would be the best tool for this purpose; so far I've been reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision yet. Now however, it would be beneficial, even if not strictly speaking necessary, if I could automatically synchronise the passwords of certain accounts between that LDAP and our AD; most sensible solution here would probably be to do it between the LDAP users having a corresponding AD account belonging to a specific AD OU. Other than passwords, the accounts and their attributes themselves should stay separate. I know that if I were running a Windows AD, I could most likely accomplish what I want with--if nothing else--the 389 DS by using DS-provided Password Sync Service (see https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/ html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html for more information). However, our goal is to completely migrate our AD to Samba 4, so committing to any software that depends on the continued availability of a Windows DC simply won't do. How could I accomplish this synchronisation with Samba 4? Can anyone nudge me to the right direction? Or is possible at all? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Gregory Sloop
2013-Feb-26 15:16 UTC
[Samba] Synchronising password of some AD users with an external LDAP?
PLJJ> I know that if I were running a Windows AD, I could most likely PLJJ> accomplish what I want with--if nothing else--the 389 DS by using PLJJ> DS-provided Password Sync Service (see PLJJ> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ> for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD.