Could someone clear this confusion up for me? OpenLDAP, AD(single-user auth)

omid_j · 03-06-2014, 12:42 PM

Hello everyone.

I've been working on an assignment for one of my courses at my college and I've been pretty much banging my head against a wall because nothing seems to be making any sense now.

Some background info:

2 Companies (ABC.CO and BIGGUY.COM)
Companies have "merged"
Two Domains**
ABC.CO -> CentOS 6.5 with OpenLDAP
BIGGUY.COM -> Server 08 R2 with AD

I've read a lot about different ways of getting this to work. Using things such as an OpenLDAP proxy to AD, using Samba V4 to import clients into AD and what not, but the one major thing confusing me is the domains.

No where has it been explicitly indicated that there are two domains. I am just assuming this is true as initially it was two separate companies. One working solution I had was simply importing clients into AD using Samba V4 and being able to authenticate with users against AD.

That approach, however, made me feel as if I've completely ignored one of the domains (ABC.CO). At the same time though, OpenLDAP simply centrally manages users and groups to prevent UID/GID conflicts. AD already has its own LDAP solution and does much more.

For this reason, would it be safe to simply conclude that only one domain exists (BIGGUY.COM) and that I can just simply create an OU within AD for the ABC.CO user base and join all the clients into the domain?

I really feel like I'm over thinking things by thinking that two domains exist and that I somehow need to join the ABC.CO domain into forest which BIGGUY.COM exists in.

There is no indications that DNS is configured on the ABC.CO side either if that helps.

At the moment, I'm testing various things that come to mind in a virtual environment. Therefore, there isn't really a user base on either end (OpenLDAP/AD).

I greatly appreciate any help that anyone can provide.

Ser Olmy · 03-09-2014, 07:53 AM

Quote:

Originally Posted by omid_j

I've read a lot about different ways of getting this to work. Using things such as an OpenLDAP proxy to AD, using Samba V4 to import clients into AD and what not, but the one major thing confusing me is the domains.

No where has it been explicitly indicated that there are two domains. I am just assuming this is true as initially it was two separate companies. One working solution I had was simply importing clients into AD using Samba V4 and being able to authenticate with users against AD.

That approach, however, made me feel as if I've completely ignored one of the domains (ABC.CO). At the same time though, OpenLDAP simply centrally manages users and groups to prevent UID/GID conflicts. AD already has its own LDAP solution and does much more.

The "domains" are just namespaces for user accounts and other directory data. You start with two databases, one in AD and one in OpenLDAP, and migrate the objects from one of the databases into the other.

You can do this in two ways:

Import the objects into the existing domain namespace
Create a new namespace (domain/subdomain) and place the migrated objects there

It all depends on how the account objects are supposed to work post-migration. Are the objects "userX@ABC.CO" to become "userX@BIGGUY.COM", or should the naming convention and/or the domain namespace be retained? (Incidentally, AD supports multiple UPN suffixes withing a domain, so it's possible for "userX@ABC.CO" to exist within the "BIGGUY.COM" domain/realm.)

omid_j · 03-09-2014, 11:37 AM

Quote:

Originally Posted by Ser Olmy

It all depends on how the account objects are supposed to work post-migration. Are the objects "userX@ABC.CO" to become "userX@BIGGUY.COM", or should the naming convention and/or the domain namespace be retained? (Incidentally, AD supports multiple UPN suffixes withing a domain, so it's possible for "userX@ABC.CO" to exist within the "BIGGUY.COM" domain/realm.)

To tell you the truth, I'm not sure what the naming context of the objects are supposed to be as it was never explicitly defined. I'm assuming that whatever object belonged to the ABC.CO namespace will need to retain its naming context within that specific namespace.

You are right however, that AD does allow for multiple UPNs, and I have completely overlooked this. At the moment, I'm trying to configure an idM instance on RHEL 6.5 to see if I can configure a cross-realm/forest trust with AD. If I have no luck with this, I'll just see to migrating the objects from the ABC.CO namespace into AD and assigning those objects an alternative UPN.

The only thing is, how would I handle the different object properties in AD (POSIX attributes) to be able to authenticate them on Linux machines? I did come across the IMU (Identity Management Unix) role for AD DS, but I wasn't quite sure where to begin with that.

Ser Olmy · 03-09-2014, 12:53 PM

Quote:

Originally Posted by omid_j

The only thing is, how would I handle the different object properties in AD (POSIX attributes) to be able to authenticate them on Linux machines? I did come across the IMU (Identity Management Unix) role for AD DS, but I wasn't quite sure where to begin with that.

Apart from the fact that the AD schema may not accommodate Posix attributes (extending the schema is no big deal, though), you can use Samba and PAM to authenticate AD users. pam_winbind will honor the uidNumber/gidNumber/homeDirectory attributes if configured to do so.

omid_j · 03-09-2014, 05:11 PM

Thanks for the help. I think I'll resort to simply using Samba and PAM and just importing them into the AD domain. FreeIPA/idM was also interesting and a good learning experience up to the point I got with it. For this case though, I think it would be easier to go down the route of importing and using AD.