Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like some advice as I am not sure what I am meant to be researching on the internet for...
current configuration is that we have a global wide Active Directory Server.
I've been requested to set up a ldap+ radius server that sits between the AD server and a whole bunch of other servers.
I need to update the ldap entries each time they are updated in AD.
I also need to create a new group in LDAP to reflect these "new" servers that the ldap server would be taking care of.
I do not know if this is possible or not.
I've looked at ldap and radius and that seems pretty straight forward ( i think) but i am uncertain about the replication of a group/users from AD into ldap and setting up a new group for the new servers...
Would someone be willing to set me straight on this?
Personally I would strongly suggest exploring WHY they want a new LDAP instance here. What's wrong with AD? M$ provide IAS, which is mostly capable radius server. As much as I think FreeRADIUS is pretty good, as is OpenLDAP, why bother any of them if there's no need?
reason is that AD is a "global solution" and trying to get the "global" people to do anything is difficult. Solution became that we would have an ldap server locally that we configure to put the local servers etc under ldap. the ldap server would act as a middle man between ad and the servers for authentication purposes and adding new groups/policy's. ~ or so im told.
Currently I have tested a solution where the ldap client can connect to the global AD however, if the user is not Locally created on the machines, then it cannot connect. This is not a feasible solution as we do not wish to maintain users on all the servers etc.
im not really sure how this will work or if anyone has done something (im sure they have ~ just not sure what im looking for).
i did find 389 Directory services and am looking into that. Or if there is a better way, I am open to people's suggestions/expertise.
Persaonlly I would suggest NOT using 389DS. It's bit and old and clunky. I would also think that you possibly don't need to replicate data to LDAP, but could look at a translucent overlay instead. This allows you to effectively proxy AD via OpenLDAP and make a few compatability tweaks to the data as it passes through, including adding groups to accounts and such.
your test solution sounds like you are authenticating against AD but not obtaining user information from it. This could be possible on an ongoing basis by having OpenLDAP hold the posix user account info, and then you can either do authentication totally separately to OpenLDAP or proxy it through for a nicer diagram. http://linux.die.net/man/5/slapo-translucent Good example here - http://www.openldap.org/doc/admin24/overlays.html
From what you do describe, I'm not seeing a RADIUS perspective, but ultimately you need a legitimate LDAP base in place before that's of any concern any way.
Last edited by acid_kewpie; 10-11-2012 at 02:26 AM.
Why would external server access mean RADIUS? RADIUS is only really used for network level things like router logins or vpn access. More and more though this sort of thing also often directly connects to LDAP as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.