Does anyone know of a solution that would allow me to do user account synchronization between Windows Active Directory and an LDAP Server hosted on a Linux Server? I'm currently looking at FreeIPA (www.freeIPA.org) and 389DS (http://directory.fedoraproject.org).
I'm looking to do account synchronization because the AD server is being deployed at our HQ which is not hardened (no generator backing and only 1 internet connection) whereas the Linux LDAP server is being deployed into a hardened datacenter. All the machines in the datacenter are Linux based and 90% of the machines at HQ are Windows. I understand that 389DS and FreeIPA have the synchronization for users, but they require a separate program to be installed to do the passwords as well. I was curious if anyone knew how to get a Kerberos slave in Linux to be mated to the Linux LDAP server for password auth and receive its updates from the Windows server, so that no extra applications would need to be installed, and so that if the AD server goes down the Linux hosts will still be able to authenticate against the Linux LDAP server.
About 50% of our users are solely Windows based, 45% of our users deal with both Windows and Linux, and the last 5% use Apple solely, and I'm currently trying to get a system that will allow a user to only know 1 username and password to log into all of our systems.