3

Does anyone know of a solution that would allow me to do user account synchronization between Windows Active Directory and an LDAP Server hosted on a Linux Server? I'm currently looking at FreeIPA (www.freeIPA.org) and 389DS (http://directory.fedoraproject.org).

I'm looking to do account synchronization because the AD server is being deployed at our HQ which is not hardened (no generator backing and only 1 internet connection) whereas the Linux LDAP server is being deployed into a hardened datacenter. All the machines in the datacenter are Linux based and 90% of the machines at HQ are Windows. I understand that 389DS and FreeIPA have the synchronization for users, but they require a separate program to be installed to do the passwords as well. I was curious if anyone knew how to get a Kerberos slave in Linux to be mated to the Linux LDAP server for password auth and receive its updates from the Windows server, so that no extra applications would need to be installed, and so that if the AD server goes down the Linux hosts will still be able to authenticate against the Linux LDAP server.

About 50% of our users are solely Windows based, 45% of our users deal with both Windows and Linux, and the last 5% use Apple solely, and I'm currently trying to get a system that will allow a user to only know 1 username and password to log into all of our systems.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • 1
    Heterogeneous environments are just painful to manage, and I don't know of anyway around that. (Which is to say I'm pretty sure there isn't one at this point.) – HopelessN00b Dec 21 '12 at 01:24

3 Answers3

3

If you really want to do this correctly you should deploy a domain controller in your datacenter and have your Linux systems authenticate against it (add the POSIX extensions to AD, and extend each AD account that needs Unix access to be a POSIXAccount).

Trying to make AD subservient to another authentication/authorization store is exceedingly difficult and failure prone. In contrast Unix systems are usually able to authenticate against AD (by treating it as plain vanilla LDAP) without too much effort.

Taking this route has a number of benefits - among them you have a secondary AD domain controller (at the datacenter, on battery/UPS), and you get a working single authentication store..

voretaq7
  • 79,345
  • 17
  • 128
  • 213
2

There is more to Active Directory than just a bunch of LDAP objects and attributes. Some of the interop protocols are proprietary, many security-sensitive attributes and APIs are locked, are not extensible by any kind of hooks and can only be called by trusted code. Using a different GINA to handle password updates is what is commonly done (tm) in the Windows world if you have any secondary directory to write your password change to.

You might want to look into Novell's eDirectory / NDS and the SSO featureset - it has been pretty much designed with heterogeneous Linux/Windows envoronments in mind.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
0

Samba 4 has just been released; this is the first version that is "fully" Active Directory compatible.

I haven't had a chance yet to play with it, but since it is *nix native and AD compatible, it may be the best method going forward.

fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • Samba 4 is being released for more than a decade now. Even though it has moved to a "released" state, it is likely to have bugs which might stop deployment in a case or the other. Additionally, Samba4 brings its own LDAP server and other configurations are explicitly recommended against: [*This page is a guide to setting up Samba4 to use a general purpose LDAP server as the backend. However, this mode of operation is not recommended and is only available to support some esoteric configurations.*](https://wiki.samba.org/index.php/Samba4/LDAP_Backend) – the-wabbit Dec 21 '12 at 13:01