80+ samba domains into 1 directory service
Hi, can anyone please offer and recommendations for the following scenario...
I currently have over 90+ sites running CentOS4.3-4.6. Where all our windows clients authenticate locally to their site servers using SAMBA 3 on each server.
I am feeling some pressure from the rest of our colleagues who operate and support OS systems to connect into their Active Directory structure so we can start to use some of their applications and authenticate to their systems through the AD.
We will like to keep to our current Open Source environment with changes to 1 directory structure. Where I want to get SAMBA, freeradius and squid authenticating.
I have looked at the following:
1. Samba connected to OpenLDAP backend, having one PDC and all other sites acting as BDCs. Problems encountered so far with this is I am having a lot of problems to set this up (only been working on Linux for 1 year and inherited system) and the GUI tools for the frontends dont seem to user friendly for system administrators. (webmin seems to be almost there)
2. IPA- a tool that seems to install frontend and backend, but am having issues getting samba running with it.
3. Fedora Directory server- currently doing some dev work on this to see if this will resolve our issues.
4. Active directory services- a colleague of mine is currently looking to see if we can get SAMBA talking directly to one of the Active directory domains as this will be the quick fix as we can then setup trusts to the OS AD domains...
Any advice would be greatly appreciated...
Yikes. Congratulations on retaining your sanity.
First of all, don't put too much reliance on graphical tools - on Linux they are just thin wrappers to the underlying libraries and command-line utilities. Only a subset of the functionality is exposed graphically, and you've probably got too complex an architecture for the simpler GUI tools to cope at all.
If I understand you correctly, I think that you have got three separate projects here:
1) Determine which central LDAP directory will hold the user records, and setting it up appropriately.
2) Figuring out how to configure your key services (Samba etc.) to use that directory.
3) Migrating the users and services to point to the central directory (probably site-by-site).
Active Directory, OpenLDAP and Fedora/Red Hat Directory Server are all proven technologies capable of handling a massive quantity of records. FreeIPA is a preconfigured setup of FDS plus other stuff. Which one is best for your organization depends on your circumstances. It is possible to sync records from one directory to another if want or need to maintain two separate directory services.
Plugging your services into an existing LDAP infrastructure requires a basic knowledge of LDAP, but is manageable. Actually designing and implementing a large LDAP infrastructure is a much bigger project because there are a lot of non-technical details that have to be sorted out, in addition to the technical implementation work. The two best sources of information that I've seen on this are the copious Red Hat Directory Server docs that RH provide for free download, and study information for the MS Active Directory design exam.
If your organization already has an AD system then the support team for it have already done the work, and may have the necessary expertise to maintain it. I say "may" because Windows seems very forgiving of botched directory implementations, so in the worst case the corporate AD may be a mess, there may be no-one on hand that really understands how it works, and the support team may think it's OK because, hey, the users can sign in from their XP desktops.
The litmus test of whether you can work with the AD system is to talk to the senior technical person and slide in the term "schema extensions". MS strongly discourage all modification of the AD schema (except that which their own products do), but it's a perfectly legitimate thing to do, and may be necessary to fully support non-MS clients. His/her reactions will tell you whether you can work with them and use their system, or will have have to go it alone.
thanks for the reply, sorry about the delay, been stuck in a room all week trying to get this up and running.
Yes, it is 3 projects or a few stages at least.
1- To determine the directory service that will hold all our user records. I have managed to get SAMBA 3.0.28 running on an OpenLDAP backend where we have 1 PDC and it replicates changes to our BDC (more BDCs to come, as all our other sites will act as BDCs). The following doc helped alot.
2.- So now we can register onto the domain and connect to either the BDC or PDC which is where we were trying to head.
3- Once I have this all rounded off and tested thoroughly, I will then look at rolling this our site by site, hitting small sites first as we can test in the live environment.
Our biggest hit with this solution was that our Global partners wanted us to connect to their Active Directory in order to access their applications. Where I have setup a trust account on SAMBA and setup a trust (outgoing) on the AD. Now we can add users into a group that the AD admins can allow access to the applications that they require us to access without them needing to setup accounts and handle passwords etc...
You might want to try zivios (http://www.zivios.org). Its a consolidated web panel and an n-tiered PHP-5 application. It uses MySQL and OpenLDAP as it's data store, with OpenLdap being the primary back end for identity management and application integration and MySQL being used for panel specific data. Check it out!
|All times are GMT -5. The time now is 09:05 AM.|