LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-06-2015, 01:32 AM   #1
ketanrane
LQ Newbie
 
Registered: Feb 2015
Location: Mumbai, India
Distribution: CentOS
Posts: 4

Rep: Reputation: Disabled
Smile Integrate Active directory with OpenLDAP


Hi,

In first place i would like to give you a brief about my current setup and my requirement.
I have 80% of the machines with CentOS 6.5 installed rest 20% windows 7. I have OpenLDAP v2.4 for user authentication.
In linux environment all linux machines are configured in such a way that whenever a user logs on to system with the help of OpenLDAP credentials he gets a default desktop rather Mandatory Profile is implemented in this setup. Now my goal is to enable OpenLDAP users logon to windows machines and get the same Mandatory profile setup done here. So far SambaPDC helped me to authenticate LDAP accounts on Windows clients machines but the Manadatory profile thing isn't working well at all due to posix acls issue. Now i am working with Windows Server 2012 r2 server so as to integrate with OpenLDAP for getting this Mandatory profile thing done. Is there any way i can sync all OpenLDAP accounts to Active directory or rather make my windows server a member server for OpenLDAP domain.

Please help me on this. Thanks in advance!!
 
Old 02-06-2015, 06:41 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
I don't think it will work that way.

Windows AD uses a Kerberos foundation for logins, with LDAP for the profiles... But both Kerberos and LDAP used are "slightly different" than the standard Kerberos/LDAP protocols.

You can make Linux use AD for authentication/authorization, but I don't believe the reverse works. That is what Samba implements when it is configured to be an AD server.
 
Old 02-07-2015, 02:16 AM   #3
ketanrane
LQ Newbie
 
Registered: Feb 2015
Location: Mumbai, India
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi jpollard,

Thanks for the reply, I have got a third party plugin LSC Ldap Synchronization Connector, they say this plugin helps one to sync LDAP database to MS Active Directory. I am still unsure till what extent this plugin helps me to integrate OpenLDAP with Active Directory.
Are you sure that this reverse sync won't work??
 
Old 02-07-2015, 05:25 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
I've never heard of anyone doing that. Not that it can't be done - it might, but most of things don't as MS has a persistent NIH problem with most standardized protocols.
 
Old 02-11-2015, 02:41 AM   #5
ketanrane
LQ Newbie
 
Registered: Feb 2015
Location: Mumbai, India
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: Disabled
Exclamation Mandatory Profile for windows clients

Hi,

My primary requirement is to enable Windows clients to load a Mandatory profile. As before i discussed, my setup consists of 80% of Linux clients and OpenLDAP for
user authentication also with Mandatory profile configured so that everytime a users logs in with his credentials he get's the default profile on his linux box.
Similar way my objective is to enable OpenLDAP users to login to Windows clients which was successfully achieved by setting up SambaPDC (Samba3.6) BUT unfortunately i am not able to setup Mandatory profile for Windows, so far i went through a couple of blogs & video tutorials online and built Default profile copied that profile in my [Profiles] share on sambapdc and configured logon.bat file to mount the share at startup and configured Windows client GPO to load Profile from Network share which is not happening as expected. As of now in this setup user always logs in with a TEMP profile rather than loading Default profile from "Profiles" share. Further i went through certain blogs according to them linux posix acls are the root cause behind this issue. This is why i thought of going with OpenLDAP and Windows AD sync.

Require immediate help on this, Thanks in advance.
 
Old 02-11-2015, 06:37 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Unfortunately, MS doesn't want this to work. MS AD contains a modified kerberos with features not supported by the standard Kerberos. Standard kerberos clients can work with AD (as the protocol was slightly modified to "accomodate" the non-standard extensions), but not the inverse. I believe the AD version of LDAP is also slightly modified, but I don't know which way. In addition, AD requires very specific additions to their DNS configuration (every AD server is also a name server).

MOST of this has been rolled into Samba 4 (it provides the ACL translation), but I have read that the kerberos extensions are not yet available/supported.

The kerberos extensions were to turn an authentication protocol into an authentication+authorization protocol - so MS took an "unused" field and expanded it to carry authorization information; and thus made it incompatible with standard Kerberos (which didn't use the field). Since the field did have a length specification (also unused), none of the clients would work. The modification was mostly to the clients to ignore the field, and use the length value to know how much to ignore. Previously neither was used, and being a fixed size it was trivial to ignore (but broke as soon as the size was non-zero).

This should be detailed better in the Samba 4 documentation.

http://edoceo.com/howto/samba4

might help. But note - there still appears to be an AD central server.

Last edited by jpollard; 02-11-2015 at 06:43 AM.
 
Old 02-26-2015, 10:03 AM   #7
ketanrane
LQ Newbie
 
Registered: Feb 2015
Location: Mumbai, India
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: Disabled
Question Integrate OpenLDAP with MS AD

Hi jpollard,

I think this integration thing should work.
I have facing same trouble in my case i want my OpenLDAP server to chase AD Referrals which will take me a step closer with this integration thing.

I reffered these links
http://www.linuxquestions.org/questi...ls-4175516332/

jlacroix was able to make this thing work as mentioned by him, but he din't shared the details about his configuration.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using authconfig to fully integrate with Active Directory Predatorian Linux - Security 3 05-21-2013 09:48 PM
integrate Windows Active Directory with LDAP yasir.iqbal Linux - Server 1 05-14-2010 06:28 AM
Samba integrate with Active Directory on RHEL 5.3 and 5.4 bathrinath Linux - Server 3 10-17-2009 12:32 AM
LXer: How to Integrate windows Active Directory and Samba in Ubuntu LXer Syndicated Linux News 0 11-12-2008 09:40 AM
integrate active directory with linux dns ssnagwekar Linux - Newbie 3 01-09-2006 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration