Re: openldap and Active directory integration
From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 01/15/05
- Next message: Herb Martin: "Re: Multi-homed Active Directory Domain Controller"
- Previous message: sheldon: "Re: bumped from PDC and can't log back in"
- In reply to: Francis: "Re: openldap and Active directory integration"
- Next in thread: Francis: "Re: openldap and Active directory integration"
- Reply: Francis: "Re: openldap and Active directory integration"
- Reply: Michael Ströder: "Re: openldap and Active directory integration"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 15 Jan 2005 09:35:57 -0500
Let me make a suggestion: Rather than use two separate directories, explore
options that let you use one.
Why do I say that? Because you already have the components in Active
Directory and you've already put the effort into Active Directory. Why
would you want to then duplicate that effort/expense to have openldap as
well? What is the major benefit of two directories/identities for access
control?
Active Directory is already providing you with Identification (LDAP as you
mentioned), Authentication, and Authorization mechanisms. OpenLDAP offers
you Identification. You would have to use other means for Authentication
and Authorization adding to your complexity.
One such option is a product like www.centrify.com
Vintella offers one as well, although I'm not familiar with their products
for many years.
If instead you decide that you need OpenLDAP instead, then you will be
wanting to look at meta-directory/identity management/password sync tools.
The alternative is to use Keberos realm trusts, but that level of
integration may not be the reliable method you want.
OpenLDAP and Active Directory can coexist well. It's possible. I'm just
saying that the level of effort may not be justified based on what you've
posted to date. You may have other factors that influence this decision
that I'm unaware of, but I needed to throw that out there for the sake of
completeness.
Tools like MIIS would be helpful if you go the sync route. You'll need to
sync identity and passwords and I suggest something like MIIS because of the
complexity of keeping it all together across the multiple directories. It's
not to say you couldn't use a script or something in your environment if you
can tolerate lag times. Passwords will be another challenge you'll have to
figure out depending on how you decide to architect this. I've got some
ideas, but let me know how you decide to proceed so I can at least make it
useful to you.
I haven't yet seen any open source versions of identity management that
would be worth talking about in this situation, but if you find any I'd
appreciate hearing about it.
There was a whitepaper on Microsoft's site a while back about integrating
Unix into Active Directory environments that talks about all of this and the
components etc. It's a little dated now, but might be of use. They have a
lot of information about integrating *nix out on their site was well at
http://www.microsoft.com/unix
Last but not least, have you seen what SFU (service for unix) can do for
you? http://www.microsoft.com/windows/sfu/ I don't think it's as clean as
you might be looking for, and is not the directory integration piece that
you want, but it might be of interest anyway.
Does that help, or was there something more/different you were looking for?
"Francis" <Francis@discussions.microsoft.com> wrote in message
news:AA6CA968-66E5-4A44-B251-1FE0ED82AE6F@microsoft.com...
> To date, we have user accounts on UNIX and user accounts on Windows and
> they are not synchronized. As you know, Active Directory is simply LDAP
> underneath. On the UNIX side, we are currently using NIS+
> but I'm very close to migrating to OpenLDAP.
>
> Once we have OpenLDAP in place to manage user accounts on the UNIX side,
> I would like to explore the possibility of syncing Active Directory with
> OpenLDAP. So yeah, some means of authentication realms to go with that.
>
>
> "Al Mulnick" wrote:
>
>> What have you done to date?
>> What you're talking about is a meta-directory/identity solution because
>> presumably you want some password synch or trusting of authentication
>> realms
>> to go with that correct?
>>
>> Al
>>
>>
>>
>>
>> "Francis" <Francis@discussions.microsoft.com> wrote in message
>> news:F9FE8174-C131-4AF5-8788-2FF5A9A3D784@microsoft.com...
>> > Hi,
>> >
>> > I'm working on a solution to sync Open LDAP with AD on Windows 2003
>> > server.
>> > User accounts are currently sitting on UNIX with others on Windows.
>> > However,
>> > the idea is to explore the possibility of syncing Active Directory with
>> > OpenLDAP - where OpenLDAP would contain the master list of accounts,
>> > and
>> > Active Directory would update itself from that. Then, there will be no
>> > need
>> > to have seperate accounts.
>> >
>> > Please help !!!!
>> >
>> >
>>
>>
>>
- Next message: Herb Martin: "Re: Multi-homed Active Directory Domain Controller"
- Previous message: sheldon: "Re: bumped from PDC and can't log back in"
- In reply to: Francis: "Re: openldap and Active directory integration"
- Next in thread: Francis: "Re: openldap and Active directory integration"
- Reply: Francis: "Re: openldap and Active directory integration"
- Reply: Michael Ströder: "Re: openldap and Active directory integration"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
