[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AD passwd in OpenLDAP
- To: openldap-software@OpenLDAP.org
- Subject: AD passwd in OpenLDAP
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 20 Apr 2004 11:27:53 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
I have a customer that have been bitten by the "must upgrade because
there's newer versions" bug (RH8 is to old it seems - go figure) who
authenicate the Linux clients to an AD using LibNSS/LDAP and
LibPAM/{LDAP,Krb5}.
This required the SFU (M$ 'version' of the AD4UNIX), which is _EXTREAMLY_
unstable!
I was thinking that maybe I should setup a 'slave' KDC (MIT Kerberos
OR Heimdal - don't care that much in this regard) which manually or
(preferably) automaticly was syncing against the primary AD.
Now, since UNIX needs the RFC2307 (which the SFU provides to AD), I
can't do a 100% sync (I don't want the RFC2307 stuff in AD), so some
filtering needs to take place. The most 'troublesome' (?) would probably
be the userPassword field.
It was a while since I looked into what an AD object looks like, but
I remember that there where a lot of stuff that's not needed by UNIX
clients.
The important thing is that it should be possible to change the password
in ANY environment (Windows OR Linux/UNIX), and the effect should be
done in both places (AD and the slave KDC). Is it possible to use the
AD eqvivalens of the 'userPassword' field directly in OpenLDAP, and
is there any scripts etc that can do this syncronization?