Hello,

I would like some advice as I am not sure what I am meant to be researching on the internet for...

current configuration is that we have a global wide Active Directory Server.

I've been requested to set up a ldap+ radius server that sits between the AD server and a whole bunch of other servers.

I need to update the ldap entries each time they are updated in AD.
I also need to create a new group in LDAP to reflect these "new" servers that the ldap server would be taking care of.

I do not know if this is possible or not.

I've looked at ldap and radius and that seems pretty straight forward ( i think) but i am uncertain about the replication of a group/users from AD into ldap and setting up a new group for the new servers...

Would someone be willing to set me straight on this?

thanks

Personally I would strongly suggest exploring WHY they want a new LDAP instance here. What's wrong with AD? M$ provide IAS, which is mostly capable radius server. As much as I think FreeRADIUS is pretty good, as is OpenLDAP, why bother any of them if there's no need?

replication can be done in many ways, this looks pretty simple though - http://lsc-project.org/wiki/document...ctivedirectory

reason is that AD is a "global solution" and trying to get the "global" people to do anything is difficult. Solution became that we would have an ldap server locally that we configure to put the local servers etc under ldap. the ldap server would act as a middle man between ad and the servers for authentication purposes and adding new groups/policy's. ~ or so im told.

Currently I have tested a solution where the ldap client can connect to the global AD however, if the user is not Locally created on the machines, then it cannot connect. This is not a feasible solution as we do not wish to maintain users on all the servers etc.

im not really sure how this will work or if anyone has done something (im sure they have ~ just not sure what im looking for).
i did find 389 Directory services and am looking into that. Or if there is a better way, I am open to people's suggestions/expertise.

Thanks

Persaonlly I would suggest NOT using 389DS. It's bit and old and clunky. I would also think that you possibly don't need to replicate data to LDAP, but could look at a translucent overlay instead. This allows you to effectively proxy AD via OpenLDAP and make a few compatability tweaks to the data as it passes through, including adding groups to accounts and such.

your test solution sounds like you are authenticating against AD but not obtaining user information from it. This could be possible on an ongoing basis by having OpenLDAP hold the posix user account info, and then you can either do authentication totally separately to OpenLDAP or proxy it through for a nicer diagram. http://linux.die.net/man/5/slapo-translucent Good example here - http://www.openldap.org/doc/admin24/overlays.html

From what you do describe, I'm not seeing a RADIUS perspective, but ultimately you need a legitimate LDAP base in place before that's of any concern any way.

as for the radius side, we have external users that need log into some servers.

thank you for the documentation and explanations/guidance. I will look into these.

much appreciated

Why would external server access mean RADIUS? RADIUS is only really used for network level things like router logins or vpn access. More and more though this sort of thing also often directly connects to LDAP as well.