[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: RFT0001 : Request For Thoughts
> -----Original Message-----
> From:
> openldap-technical-bounces+christopher.barry=qlogic.com@openld
> ap.org
> [mailto:openldap-technical-bounces+christopher.barry=qlogic.co
m@openldap.org] On Behalf Of Dieter Kluenter
> Sent: Tuesday, September 23, 2008 1:11 PM
> To: openldap-technical@openldap.org
> Subject: Re: RFT0001 : Request For Thoughts
>
> "Christopher Barry" <christopher.barry@qlogic.com> writes:
>
> > Hi everyone,
>
> [..]
> > The Parts Bin:
> > There's a bunch of parts around, and they all kind of fit
> together, but
> > to my current understanding anyway, seem to create a few different
> > incomplete solutions, such as:
> > * Samba/Winbind/Kerberos (possibly backed by OpenLDAP)
>
> No, this is not possible, ask on a samba list for reasons.
>
> > * OpenLDAP/Kerberos with trusts to AD
>
> yes, this can be done,
>
> > * AD using 2003R2 and possibly custom schema modifications if
> > required.
>
> this could be done
> >
> > My question really is what are others doing to solve this type of
> > problem? Architecturally, what is the best approach given the above
> > desired outcome?
>
> If you administer a homogenous windows network, keep AD as primary
> domain controller (just KDC) and configure samba as backup
> controller.
> If you administer a heterogenous network, get, in addition to the
> above mentioned design, OpenLDAP plus heimdal kerberos to administer
> Unix hosts and users and create a trust relation to AD.
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dpunkt.de/buecher/2104.html
> GPG Key ID:8EF7B6C6
> 53°08'09,95"N
> 10°08'02,42"E
>
>
Thanks Dieter.
Why heimdal as opposed to MIT? Is is better at AD interop, or are you thinking about crypto restrictions?
Also, would you recommend keeping all user/group data in AD proper, but all other NIS related stuff in OpenLDAP?
Regards,
-C