[nycbug-talk] AD <-> LDAP

Matt Juszczak matt at atopia.net
Wed Sep 8 17:32:18 EDT 2010

Hi folks,

I have a bit of a theory question here, and I'd like to get people's 

We have about 10 Windows servers, and about 200 *nix servers.  The Windows 
servers are Active Directory, but the *nix servers aren't central auth 
quite yet (we're working on it).  In any event, we're currently using an 
OpenLDAP setup to store Puppet node configuration, sudo info, internal 
DNS, and authentication for the *nix instances tied into the "new 
standardized setup".  However, there's one negative - the Windows servers 
use AD for authentication, and the *nix boxes use the OpenLDAP servers for 
authentication, and they aren't tied together.

There's been some talk about removing the OpenLDAP instances, and tying 
all 200 *nix instances into the Active Directory servers with Winbind. 
In order to get rid of the OpenLDAP instances entirely, I'd also have to 
move the puppet, powerdns, etc. schema into Active Directory as well.  I 
suppose the OpenLDAP instances could just be kept up to store puppet and 
internal DNS info.

To be honest, this option scares me, as I'd much rather have a sync script 
that syncs accounts from AD -> OpenLDAP, and keep the native OpenLDAP 
authentication going (which will also continue to store the puppet node 
configuration, sudoers info, and internal DNS).  However, if there are 
people on here who have had positive experiences with this, I'd love to 
hear them so my mind can change, as there's definitely pressure to 
completely stick with AD for everything, and utilize Winbind to link the 
200 *nix boxes to central authentication.



More information about the talk mailing list