Am Fri, 1 Mar 2013 16:32:17 -0500 schrieb Mailing Lists <[email protected]>:
> Hello, > I posted a question along these lines a few months ago and received > replies, but never understood enough to implement them. I've done more > research in the meantime and hopefully have learned enough to ask this > question intelligently. > I'm working on a project proposal for integrating Linux machines into > a Windows environment. The client is very concerned about their AD > environment and wants to do as little modification to it as possible > (preferably none). > > What I'd like to propose is that we set up an OpenLDAP server that > chains to AD. If possible, I would like to use the OpenLDAP client's > credentials to bind to AD instead of having a dedicated user for the > OpenLDAP <--> AD connection. I believe this can be accomplished with > the 'rebind-as-user' option of the ldap backend (slapd-ldap). Is this > correct? Now here's where I think it gets tricky. We also need to be > able to store information for the Linux boxes in LDAP (samba winbind > mappings for example), but keep it separate from AD. I know that part > of this would require a dedicated LDAP database backend (slapd-bdb) > to be configured, but what confuses me is how to combine these two > separate entities (the AD proxy and this bdb database) into one > 'virtual' backend that clients can query against. Is this where > slapd-translucent would come into play? Finally, if I want to create > OUs in the Linux LDAP database that contain user DNs from AD, is that > possible? > > Any guidance, example solutions, or suggested reading is greatly > appreciated. As usual, there are several approaches. Either add back-ldap or some scripting backend like back-perl in order to request AD, but in any case you have to include the AD schema into your subschema. Or get some sort of meta directory, there are a few available. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
