Hello,
I am in search of a tool to solve a new directory server issue in relation to Active Directory...
For a long time here at work, we have had LDAP as our authentication source and nsswitch source for Solaris and Linux. First it was the Solaris DS, later the 389 DS. When AD came along we started using the Active Directory sync tool to sync passwords from the AD environment, but did not try to store all the Posix attributes in AD. This has worked well.
Recently, our company was bought by another that is implementing AD as the only allowed authentication source. We will be assimilated. However, they can't/won't store all the other stuff we need such as the Ethernet addresses, automount points, etc. They also won't sync passwords. It looks like we will still need a "real" direstory server.
Does anyone have any ideas how to have two LDAP sources, one used for authentication and possibly some user attributes, group membership, etc. (AD) while using another (389?) for the rest of the stuff?
Is there some sort of frontend proxy that can merge the DITs from two stores on the backend? I seem to remember reading that the later versions of the Solaris DS could do something like this.
I don't even know what kind of tool I am asking for or I might be able to search for it and answer my own question.
Any pointers would be appreciated.
Gary Algier
On 04/14/2015 12:41 PM, Gary Algier wrote:
Hello,
I am in search of a tool to solve a new directory server issue in relation to Active Directory...
For a long time here at work, we have had LDAP as our authentication source and nsswitch source for Solaris and Linux. First it was the Solaris DS, later the 389 DS. When AD came along we started using the Active Directory sync tool to sync passwords from the AD environment, but did not try to store all the Posix attributes in AD. This has worked well.
Recently, our company was bought by another that is implementing AD as the only allowed authentication source. We will be assimilated. However, they can't/won't store all the other stuff we need such as the Ethernet addresses, automount points, etc. They also won't sync passwords. It looks like we will still need a "real" direstory server.
Does anyone have any ideas how to have two LDAP sources, one used for authentication and possibly some user attributes, group membership, etc. (AD) while using another (389?) for the rest of the stuff?
Perhaps a mix of sync and PAM pass through auth. With PAM pass through auth, you configure a PAM stack to authenticate to AD, then configure 389 PAM passthrough auth to use that PAM stack for authentication. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
Is there some sort of frontend proxy that can merge the DITs from two stores on the backend? I seem to remember reading that the later versions of the Solaris DS could do something like this.
I don't even know what kind of tool I am asking for or I might be able to search for it and answer my own question.
Any pointers would be appreciated.
Gary Algier
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Tue, Apr 14, 2015 at 3:23 PM, Rich Megginson rmeggins@redhat.com wrote:
On 04/14/2015 12:41 PM, Gary Algier wrote:
Hello,
I am in search of a tool to solve a new directory server issue in relation to Active Directory...
For a long time here at work, we have had LDAP as our authentication source and nsswitch source for Solaris and Linux. First it was the Solaris DS, later the 389 DS. When AD came along we started using the Active Directory sync tool to sync passwords from the AD environment, but did not try to store all the Posix attributes in AD. This has worked well.
Recently, our company was bought by another that is implementing AD as the only allowed authentication source. We will be assimilated. However, they can't/won't store all the other stuff we need such as the Ethernet addresses, automount points, etc. They also won't sync passwords. It looks like we will still need a "real" direstory server.
Does anyone have any ideas how to have two LDAP sources, one used for authentication and possibly some user attributes, group membership, etc. (AD) while using another (389?) for the rest of the stuff?
Perhaps a mix of sync and PAM pass through auth. With PAM pass through auth, you configure a PAM stack to authenticate to AD, then configure 389 PAM passthrough auth to use that PAM stack for authentication. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/h...
Yes, that sound just like what I need. AD can handle the auth, I will
manage the data (with a little help from sync). Now to setup a new server...
Thanks
Gary
389-users@lists.fedoraproject.org