[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AD, freeradius, openldap combination
- To: Openldap Technical <openldap-technical@openldap.org>
- Subject: AD, freeradius, openldap combination
- From: Serge Fonville <serge.fonville@gmail.com>
- Date: Wed, 31 Mar 2010 10:47:30 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:received :message-id:subject:to:content-type; bh=BoTOsVrPO9o/Vh9TpBpwSvsNAfOK0pZmMvrb/n/C8+U=; b=PySQiqBTavpJwOiybsUlSHHa4r/mZHl9eKK8nX+MMmdO7O3IOpEoklCIuLNZ8urF77 CmYY0bSdKmBkshZFbpRDVpBOEGB/ip/C4O/KcYn8nM6iP3ePcT84Na11MjcdUuP6KbOz jeIVTIPQQDceHRL63CsFY6C/ruoK0zRVQcTvE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Y5yf7/d5hkIX/nXfrZe4dZwciJ2qtfXOhRC2Zi7Y1KCOHqSPVvMcO1i9aOiy2RBiPS qChaziqYbtyECDsSj2R9xaxE6Vy6hFjLoWTOEV32hlIhzktlLvMUTuURJJ+0Adt2pBXM kLeb+S+K2BfJxlNtYKuRt+XYt+Egux0EJ4h9s=
Hi,
I'm setting up a HA environment with centralized user administration.
I'm currently considering the following setup
For MS clients, authenticate directly to AD
For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD
For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy
The goals for the setup are:
1. One login for all networked nodes
2. Centralized user authentication
3. Single resource for user information
4. Highly available authentication service
5. No serious performance impact
6. Alternative login when service is unavailable
7. Easily scalable
8. Easy rollout
1, 2, 3 and 7 are achieved using AD
4 can be achieved by a combination of a loadbalancer for each service
and multiple instances of each service
not sure if 5 is realistic, but it should be possible I suppose
6 is no problem for any host
8 can be done through scripting
What I would like to know now is:
Is it advisable to set it up like this?
Are there 'better' ways to achieve the same result. (performance,
availability, ease of maintenance)
Would it be better to let radius talk directly to AD, possibly even
using the MS radius server.
Is it advisable to use an OpenLDAP proxy for *nix authentication or
can I just as well use AD directly.
The main reasons for me to assume this setup is the most suitable are:
AD replicates by default
OpenLDAP proxy does not need to replicate
OpenLDAP is more 'compatible' with the *nix clients
FreeRadius does not need to replicate
All can be loadbalanced easily.
The main question I want to know from the OpenLDAP list is: "how well
does the OpenLDAP proxy perform?"
For the remainder, if anyone wants to shed some light on this, I would
greatly appreciate it.
Thanks a lot in advance.
Regards,
Serge Fonville
--
http://www.sergefonville.nl
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923&hl=en