LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-08-2012, 10:42 PM   #1
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Rep: Reputation: Disabled
centos 6.3 ldap + radius


Hello,

I would like some advice as I am not sure what I am meant to be researching on the internet for...

current configuration is that we have a global wide Active Directory Server.

I've been requested to set up a ldap+ radius server that sits between the AD server and a whole bunch of other servers.

I need to update the ldap entries each time they are updated in AD.
I also need to create a new group in LDAP to reflect these "new" servers that the ldap server would be taking care of.

I do not know if this is possible or not.

I've looked at ldap and radius and that seems pretty straight forward ( i think) but i am uncertain about the replication of a group/users from AD into ldap and setting up a new group for the new servers...

Would someone be willing to set me straight on this?

thanks
 
Old 10-10-2012, 07:20 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Personally I would strongly suggest exploring WHY they want a new LDAP instance here. What's wrong with AD? M$ provide IAS, which is mostly capable radius server. As much as I think FreeRADIUS is pretty good, as is OpenLDAP, why bother any of them if there's no need?

replication can be done in many ways, this looks pretty simple though - http://lsc-project.org/wiki/document...ctivedirectory
 
Old 10-10-2012, 06:58 PM   #3
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
reason is that AD is a "global solution" and trying to get the "global" people to do anything is difficult. Solution became that we would have an ldap server locally that we configure to put the local servers etc under ldap. the ldap server would act as a middle man between ad and the servers for authentication purposes and adding new groups/policy's. ~ or so im told.

Currently I have tested a solution where the ldap client can connect to the global AD however, if the user is not Locally created on the machines, then it cannot connect. This is not a feasible solution as we do not wish to maintain users on all the servers etc.

im not really sure how this will work or if anyone has done something (im sure they have ~ just not sure what im looking for).
i did find 389 Directory services and am looking into that. Or if there is a better way, I am open to people's suggestions/expertise.

Thanks
 
Old 10-11-2012, 02:24 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Persaonlly I would suggest NOT using 389DS. It's bit and old and clunky. I would also think that you possibly don't need to replicate data to LDAP, but could look at a translucent overlay instead. This allows you to effectively proxy AD via OpenLDAP and make a few compatability tweaks to the data as it passes through, including adding groups to accounts and such.

your test solution sounds like you are authenticating against AD but not obtaining user information from it. This could be possible on an ongoing basis by having OpenLDAP hold the posix user account info, and then you can either do authentication totally separately to OpenLDAP or proxy it through for a nicer diagram. http://linux.die.net/man/5/slapo-translucent Good example here - http://www.openldap.org/doc/admin24/overlays.html

From what you do describe, I'm not seeing a RADIUS perspective, but ultimately you need a legitimate LDAP base in place before that's of any concern any way.

Last edited by acid_kewpie; 10-11-2012 at 02:26 AM.
 
Old 10-11-2012, 05:59 PM   #5
shiden
LQ Newbie
 
Registered: Jul 2012
Posts: 12

Original Poster
Rep: Reputation: Disabled
as for the radius side, we have external users that need log into some servers.

thank you for the documentation and explanations/guidance. I will look into these.

much appreciated
 
Old 10-12-2012, 12:45 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Why would external server access mean RADIUS? RADIUS is only really used for network level things like router logins or vpn access. More and more though this sort of thing also often directly connects to LDAP as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP and RADIUS server nitinjw Linux - Newbie 3 06-09-2011 12:51 PM
Radius + LDAP + EAP-PEAP jwstric2 Linux - Software 2 11-23-2010 08:53 PM
Ldap Radius Auth... tmolise Linux - General 1 11-02-2006 04:12 AM
Ldap Radius Authentication tmolise Linux - Software 0 11-01-2006 10:49 AM
LDAP and RADIUS questions depam Linux - Software 4 08-17-2006 03:08 AM


All times are GMT -5. The time now is 04:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration