On Wed, 2008-05-07 at 10:56 -0400, Rich West wrote: > Andrew Bartlett wrote: > > On Tue, 2008-05-06 at 16:41 -0400, Rich West wrote: > > > >> I am not entirely sure where to ask this particular question, and I > >> apologize in advance if this is not the correct forum... > >> > >> We have an AD infrastructure and we'd like to get all of our unix boxes > >> to authenticate against the AD servers. > >> > > > > You really should be looking at Samba and winbind. There we handle all > > the messy details of dealing with AD. > > > > If you want (say, for reasons of reducing dependence on AD) to use your > > own replicated directory, then this is quite possible (and OpenLDAP > > would be a fine DS for that purpose), but this gets painful with > > passwords etc. > > > Interesting.. I was not aware that there was a pam hook for > user/password auth. Yes, pam_winbind and nss_winbind are key parts of what makes winbind what it is. If you want something that just works, then this is the route to move down. > If I were to do an OpenLDAP replica, it would be read-only, which should > make things a little easier (I hope). Again, if I went down that route, > I am not sure exactly how to proceed (write a perl script to perform the > right ldapsearch to pull all of the users entries to build the ldif file > which then gets slurped in to openldap? write a perl script to use the > ldap lib to grab each entry and insert it in to openldap?) I think it's all been done before, but the challenge is getting the passwords. You end up either with passing these along (simple bind -> krb5 kinit in the OpenLDAP server) or with nasty password sync stuff. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part