Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
phiglit_missally
Jun 10, 2004

Mostly Harmless

I have an interesting problem.

I would like to replicate the user accounts from our AD user store, to an OpenLDAP, with passwords being translated into what a Unix client would query against. Do any of you fine people have a good website for walking through the process? I have done google search after google search, but all of the sites I have found are for consulting on doing this, or just posts/emails saying (in more words) "Keep them separate."

Any advice or sites you could recommend?

Adbot
ADBOT LOVES YOU

phiglit_missally
Jun 10, 2004

Mostly Harmless

mastahnke posted:

Couldn't you just use AD rather than replicate it into OpenLDAP? You can certainly make Linux boxes authenticate and authorize against AD.

I assume you have other good stuff in your OpenLDAP and that's why you want to use it? You could always have one source of data for authentication (AD) and one for other goodness.

Right. We do not have direct control over our AD in my office, due to being owned by a bigger company. We have a lot more stuff that needs an extended schema though. Without divulging to much, we run game servers, game development environments, and host a lot of services like a wiki, ticket tracking, lots of mysql databases, and unix logins for the entire building. I would rather keep the Unix/Linux side working the way it is through ldap, just because it is working. I would just like to migrate at least some of the windows user accounts with our unix side.

I don't really need active replication, but a script or something to migrate the first time would definatly help a lot. I can keep the user accounts fairly sync'd going forward, but inputting over 100 user records by hand, and getting the users to input a password is not something I would choose to do.

phiglit_missally
Jun 10, 2004

Mostly Harmless

Postal posted:

Anyone know any good GUI frontends for Snort?

ACID
Its web based, and not exactly easy to setup, but it works like a champ once you do.

phiglit_missally
Jun 10, 2004

Mostly Harmless

mastahnke posted:

Ok, so for user information use AD and for Applications use OpenLDAP? Yeah, I am not really answering the question, let me try this.

You won't be able to just dump the password out of AD and import it into OpenLDAP. The formats are not the same. You could run some kind of cracker against AD, but since you said your area doesn't own AD, you would probably get in trouble for that. So, time for more options.

Write a password change screen. When a user needs to change their password, intercept the change and then call the native openLDAP change and the AD change on the back end.

To import users from AD, use Perl, Python, PHP, C, whatever and just dump them via an LDAP search refined to whatever you needed.

Another option would be to use some sort of Metadirectory to populate certain attributes. As far as partial replication of just he user containers in AD to OpenLDAP, I am not sure it can be done. If it can, I don't have great answers on it. So, I may have just filled your thread with nothing. If so sorry. If not, cheers.

What I was thinking of doing, is put up a LDAP server with the schemas required to do a "full" replication of the AD using samba schema extensions, and just make all the applications use samba binding to authenticate with this LDAP server (password and lookup tags etc). I have never done this particular setup before, so its uncharted territory for me. If anyone has advice for this, help is welcome.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply