[nycbug-talk] AD <-> LDAP
Edward Capriolo
edlinuxguru at gmail.com
Wed Sep 8 17:47:44 EDT 2010
On Wed, Sep 8, 2010 at 5:32 PM, Matt Juszczak <matt at atopia.net> wrote:
> Hi folks,
>
> I have a bit of a theory question here, and I'd like to get people's
> opinion.
>
> We have about 10 Windows servers, and about 200 *nix servers. The Windows
> servers are Active Directory, but the *nix servers aren't central auth quite
> yet (we're working on it). In any event, we're currently using an OpenLDAP
> setup to store Puppet node configuration, sudo info, internal DNS, and
> authentication for the *nix instances tied into the "new standardized
> setup". However, there's one negative - the Windows servers use AD for
> authentication, and the *nix boxes use the OpenLDAP servers for
> authentication, and they aren't tied together.
>
> There's been some talk about removing the OpenLDAP instances, and tying all
> 200 *nix instances into the Active Directory servers with Winbind. In order
> to get rid of the OpenLDAP instances entirely, I'd also have to move the
> puppet, powerdns, etc. schema into Active Directory as well. I suppose the
> OpenLDAP instances could just be kept up to store puppet and internal DNS
> info.
>
> To be honest, this option scares me, as I'd much rather have a sync script
> that syncs accounts from AD -> OpenLDAP, and keep the native OpenLDAP
> authentication going (which will also continue to store the puppet node
> configuration, sudoers info, and internal DNS). However, if there are
> people on here who have had positive experiences with this, I'd love to hear
> them so my mind can change, as there's definitely pressure to completely
> stick with AD for everything, and utilize Winbind to link the 200 *nix boxes
> to central authentication.
>
> Thanks,
>
> Matt
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
I know some people who have lifted the schema restrictions on Active
Directory and just went to town on it, adding sudo schema etc.
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync.html
I can not say I have tried it but the literature claims two way
synchronization. I have administered many iplanet,389,RHDS (whatever
you want to call it) instances and have had great luck with the
complex features like the Multi-Master replication.
I know you were probably not looking to dump OpenLDAP, but when faced
with dumping OpenLDAP or linux. 389/RHDS might be able to give you
what you need.
As you mentioned there is always "code it yourself options"
More information about the talk
mailing list