I want to keep the password part in the current LDAP so we don't have to do a mass reset for all parties. And I didn't want to move the LDAP to an MS product. Thanks for the information.
On Fri, Jun 6, 2014 at 8:08 PM, Stewart Walters <[email protected]> wrote: > Just spit balling here, because I'm not exactly sure I completely > understand your usage scenario. > > You say you want AD to use OpenLDAP as the authentication source, I > presume so that Windows workstation logins can authenticate against an > identity in OpenLDAP? > > If Group Policy/File and Printer management and other aspects of AD aren't > hugely important to the control and management of your workstation fleet, > you could deploy pGina (pgina.org) to every workstation. pGina will > replace the windows Ctrl + Alt + Del style login screen with one that will > allow users to authenticate directly to an identity in OpenLDAP. > > If that's not your scenario (or if you need the Group Policy/File and > Print stuff), as Peter correctly asserts - Samba 3/4 can be used as a drop > in replacement for AD. It can also be configured to use Kerberos and > OpenLDAP on the backend to control identity and authentication. Without > having to learn Samba (which by extension, often requires you to know low > level concepts of AD itself), you could also consider a FreeIPA deployment > which may or may not assist with simplifying the configuration of Samba4. > > Another way would be to use an IDAM product such as Microsoft Forefront > Identity Manager (or the Quest or NetIQ equivalents) to replicate > user identities and passwords in AD over to OpenLDAP (and vice versa). I > suspect however that an IDAM project is probably too over-engineered/too > expensive for your needs. > > Hope that helps, > > Stewart > > >
