Am Thu, 12 Jun 2014 12:22:00 -0400 schrieb Justin Stanczak <[email protected]>:
> This is probably better posted on the Kerberos list, but can Kerberos > server work with AD? Meaning set up a Kerberos server (not MS) to > authenticate users, and AD accepts tickets from that? Yes, this can be done. There is some Microsoft documentation on this topic, just search technet.microsoft.com. -Dieter > > On Tue, Jun 10, 2014 at 9:36 AM, Stewart Walters > <[email protected]> wrote: > > > Hi Justin, > > > > My emails don't seem to arrive to the openldap-technical list. > > > > But, (and please note, I've never actually done this before) you > > could use a virtual LDAP directory front-end to combine portions of > > both AD and OpenLDAP to provide clients with a single unified > > view. In theory the client can't tell the difference between data > > from one or the other (though I imagine that the theory and the > > practice of this is completely different, which is why I've never > > attempted this). > > > > Such products that provide this are MyVD > > (http://myvd.sourceforge.net/) and some commercial ones like > > RadiantOne VDS, Virtual Identity Server, Virtual LDAP Server EE > > > > However all of that complicates what should be a relatively simple > > thing - storing and retrieving an identity held within a > > directory. I wouldn't recommend looking at virtual directories as > > a way forward, you're likely to run in to bigger problems by over > > engineering the solution. > > > > I find its best to keep things simple. Either keep the OpenLDAP > > and AD identities separate between the two directories, or if you > > have to, look towards suggestions made by others (such as using > > Kerberos V5 Trusted Realm+OpenLDAP; or Samba+OpenLDAP). > > > > Best of luck, > > > > Stewart > > > > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
