Re: OpenLDAP synchtonization with windows/Active Directory

[Michael Ströder <michael@stroeder.com>]

Razi Garbie wrote:
> 2008/2/13, Michael Ströder <michael@stroeder.com 
> <mailto:michael@stroeder.com>>:
>
>     Use pam_ldap or pam_krb5 against AD. NIS information you can retrieve
>     from OpenLDAP with nss_ldap. No syncing needed for that, just different
>     ldap.conf files for pam_ldap and nss_ldap.
>
> I see, so a slapd is not needed?

In this scenario authentication would be done directly with AD. But you 
also might want to retrieve the NIS information (what's in /etc/passwd) 
via LDAP. It depends whether you also want that information to be stored 
in AD or not.

> If thats the case, do you perhaps know if i'll be able to authenticate 
> services that use LDAP:// and not PAM?

You can have a mixture of applications directly checking a password via 
LDAP and some using PAM or some directly using Kerberos or...

But take into account operational and security considerations.

> Could someone please give me links so that i can read up upon how to 
> setup OpenLDAP to authenticate against Windows/AD.

Use SASL GSSAPI for using Kerberos with AD to authenticate clients which 
bind to slapd.

Ciao, Michael.