[nycbug-talk] AD <-> LDAP
Matt Juszczak
matt at atopia.net
Wed Sep 8 17:32:18 EDT 2010
Hi folks,
I have a bit of a theory question here, and I'd like to get people's
opinion.
We have about 10 Windows servers, and about 200 *nix servers. The Windows
servers are Active Directory, but the *nix servers aren't central auth
quite yet (we're working on it). In any event, we're currently using an
OpenLDAP setup to store Puppet node configuration, sudo info, internal
DNS, and authentication for the *nix instances tied into the "new
standardized setup". However, there's one negative - the Windows servers
use AD for authentication, and the *nix boxes use the OpenLDAP servers for
authentication, and they aren't tied together.
There's been some talk about removing the OpenLDAP instances, and tying
all 200 *nix instances into the Active Directory servers with Winbind.
In order to get rid of the OpenLDAP instances entirely, I'd also have to
move the puppet, powerdns, etc. schema into Active Directory as well. I
suppose the OpenLDAP instances could just be kept up to store puppet and
internal DNS info.
To be honest, this option scares me, as I'd much rather have a sync script
that syncs accounts from AD -> OpenLDAP, and keep the native OpenLDAP
authentication going (which will also continue to store the puppet node
configuration, sudoers info, and internal DNS). However, if there are
people on here who have had positive experiences with this, I'd love to
hear them so my mind can change, as there's definitely pressure to
completely stick with AD for everything, and utilize Winbind to link the
200 *nix boxes to central authentication.
Thanks,
Matt
More information about the talk
mailing list