Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
mastahnke
Jan 30, 2004

phiglit_missally posted:

I have an interesting problem.

I would like to replicate the user accounts from our AD user store, to an OpenLDAP, with passwords being translated into what a Unix client would query against. Do any of you fine people have a good website for walking through the process? I have done google search after google search, but all of the sites I have found are for consulting on doing this, or just posts/emails saying (in more words) "Keep them separate."

Any advice or sites you could recommend?

Couldn't you just use AD rather than replicate it into OpenLDAP? You can certainly make Linux boxes authenticate and authorize against AD.

I assume you have other good stuff in your OpenLDAP and that's why you want to use it? You could always have one source of data for authentication (AD) and one for other goodness.

Adbot
ADBOT LOVES YOU

mastahnke
Jan 30, 2004

Without Pants posted:

I'd really like to know this too. The scripts would probably be trivial to port over but... I'm lazy.

Um logwatch for Linux is basically the same thing. You configure what you want, and it audits stuff and sends it to you. RHEL has it on by default and I normally just put a .forward file in ~/root if I care about those messages.

If it's something specific then I can't help, but if it's general like

* how many times did a user attempt login and fail
* disk space
* snippits from /var/log/secure

then you are set.

mastahnke
Jan 30, 2004

GT_Onizuka posted:

Is there anyway to disable this?
code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host i
I understand the potential implications, I don't need a lesson on that. At work we have one main box that's exposed to the internet, and you can access the other machines through SSH by going through a specific port on the main machine that's just forwarded to 22 on another machine. However, if you've accessed one of the machines (let's say the main one), if you try and SSH into any of the others (with the specified port) you get this error message.

Essentially I'm writing a backup script for a machine that'll only rsync to those servers, and it needs to do it to two of them. I can't just delete the .ssh/known_hosts file, otherwise I'll get prompted which cannot happen, as it needs to be automated. Is there anyway I can disable/ignore this warning?

The better question is why are your hostkeys changing? If they change one on a rebuild, then I guess I understand, if your hostkeys are changing a lot, then you have other issues. (Or I guess you could be using DHCP).

Either way, you lose a critical layer of security by simply ignoring hostkeys.

<shamelessplug> http://www.amazon.com/Pro-OpenSSH-Michael-Stahnke/dp/1590594762>Buy my SSH BOOK! </shamelessplug>

mastahnke
Jan 30, 2004

phiglit_missally posted:

Right. We do not have direct control over our AD in my office, due to being owned by a bigger company. We have a lot more stuff that needs an extended schema though. Without divulging to much, we run game servers, game development environments, and host a lot of services like a wiki, ticket tracking, lots of mysql databases, and unix logins for the entire building. I would rather keep the Unix/Linux side working the way it is through ldap, just because it is working. I would just like to migrate at least some of the windows user accounts with our unix side.

I don't really need active replication, but a script or something to migrate the first time would definatly help a lot. I can keep the user accounts fairly sync'd going forward, but inputting over 100 user records by hand, and getting the users to input a password is not something I would choose to do.

Ok, so for user information use AD and for Applications use OpenLDAP? Yeah, I am not really answering the question, let me try this.

You won't be able to just dump the password out of AD and import it into OpenLDAP. The formats are not the same. You could run some kind of cracker against AD, but since you said your area doesn't own AD, you would probably get in trouble for that. So, time for more options.

Write a password change screen. When a user needs to change their password, intercept the change and then call the native openLDAP change and the AD change on the back end.

To import users from AD, use Perl, Python, PHP, C, whatever and just dump them via an LDAP search refined to whatever you needed.

Another option would be to use some sort of Metadirectory to populate certain attributes. As far as partial replication of just he user containers in AD to OpenLDAP, I am not sure it can be done. If it can, I don't have great answers on it. So, I may have just filled your thread with nothing. If so sorry. If not, cheers. :)

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply