|
Linux user accounts in AD?
Hi, I have a strange problem. Please do not flame me this is not my doing I have been asked to get this working.
The situation is that I currently have a number of linux/unix user accounts to migrate in to Windows AD (2003 R2 with services for unix installed)
I have been told that all users will have a user account in AD in a numeric format 01-2345, this is the user account they will use when they log in with a windows client.
When the same user logs in using a Linux client they need to use an account with an alpha character in front of it, i.e A12-2345. OK this is the crunch, there can be only one account in AD, no software or schema changes are allowed in AD.
Additionally the Unix users are required to be able to change their passwords on the Linux/Unix platform as well.
What I have tried so far:
Kerberos and LDAP clients configured with PAM modules allow the linux machines to authenticate to AD, works very well and allows the users to login and change there passwords. However I have found no way to translate the users login name from 12-2345 to A12-2345 for the linux platform as specified. Kerberos option auth_to_local does not seem to work at all in RedHat (or what am I doing wrong, more info if needed).
With this we have tried various iterations of trying to get LDAP to use different AD attributes such as userprinciplename and UID none of which would work.
Potential Options:
If you have any suggestions on the best way to go about this let me know.
OpenLDAP Proxy to AD with translation in place to rewrite the samaccountname field.
Samba and Winbind as a member of the AD domain, is there any way to rewite the Samba/Windows account names?
OpenLDAP server with full replication (including the password field) from AD, where I can manipulate the User ID field. I believe Fedora Directory server is capable of this but requires Passsync to be installed on the AD domain controller for full password synchronisation (management screwed this one, any suggestions?)
|
