Im pretty new to LDAP and AD. I have to port our present authorization/authentication structure from AD to OpenLDAP. Is it possible to run the entire setup in windows? What are the steps for migration of the policies and adjustments req.? I'v read up a few tutorials, so should be able to follow the inputs. Regards, Anthony G.
Asked
Active
Viewed 9,448 times
4
-
Active Directory does a lot more than just provide a directory service like OpenLDAP. Do you want to just migrate the directory part of AD or do you want a complete AD replacement with free software? – joschi Jul 07 '10 at 06:52
-
Hi, We are aiming for a full replacement of AD, hopefully on the windows environment itself using OpenLDAP. – Jul 07 '10 at 10:02
2 Answers
2
My first answer would be don't...
What I think you are actually asking is: How do I port from Microsoft AD Domain to a Samba/OpenLDAP/Kerberos setup. It's Samba that actually handles the authentication/authorisation side of things - OpenLDAP is just a directory.
Samba barely does group policies - you need to use the NTPOL editor from Windows NT4 days - it only has 70-80% of the functionality of XP local group policy (before some wise guy pipes up about Samba 4 - it's not out yet, one day maybe). You can apply Samba policy only to user groups not computer groups- the list goes on.
There are no easy migration wizards, pretty much every Samba tutorial does it from scratch, which is what you may end up doing. And in the end you will end up with a setup that is not as good as before - I suggest you think long & hard about whether it is the right thing to do (and yes I do support a Samba domain, and wish every day I had a Windows one).
Jon Rhoades
- 4,987
- 3
- 31
- 48
-
1Have to agree with this. There's a few things that I think come under the heading of "If you have to ask how, then you probably shouldn't" and this is one of them. – Rob Moir Jul 07 '10 at 07:37
-
1Actually, Kerberos handles the authentication in that trio. Samba provides filesharing, policy, and an SMB interface to the backend functions. You can use LDAP/Kerberos directly without going through Samba. PADL does have some migration scripts which might be helpful. – Borealid Jul 07 '10 at 08:10
-
@Borealid - Kerberos doesn't have to do authentication it's optional. – Jon Rhoades Jul 07 '10 at 08:18
1
- OpenLDAP can run on Windows, yes. I wouldn't really recommend it; if you're running a Windows server OS you'll get better integration with AD.
- I don't think OpenLDAP policies and Active Directory policies are entirely compatible. At the very least, OpenLDAP has a "config" directory not present on AD, and AD handles server referrals differently. The two implementations also support different extensions (for instance, until very recently, the WHOAMI extension wasn't supported on AD). You'll probably have to go back to your policy document and create new ACLs for OpenLDAP.
- If you use strict schema enforcement, which you should, you'll have to find the right objectclasses for your AD data. If you're just migrating users, nothing more, it might be easier to dump/import them than to copy the whole LDAP tree. Watch out for password salting/hash algorithms.
If you're using AD authentication, your actual auth is Kerberos, not LDAP. The user principals are stored in LDAP, yes, but the auth step is Kerberos. OpenLDAP alone won't give you feature parity (Single Sign On) with AD. You'll need to pair it with a Kerberos server, such as Heimdal or MIT Kerberos, for that.
This is not a simple or easy process. For an organization of any size, this is something that should be done by an MCSE with a solid handle on enterprise software architecture and some experience with UNIXish operating systems.
Borealid
- 240
- 1
- 3
-
Thanks Borealid. Right now i have to create the POC of the same. Expected user count might come to 300 with later expandability accounted for. For now I have to forgo the MCSE cert. part, as there are none in sight. I have looked at JSSO for the single sign on part, though.(I'm new to SSO as well.) – Jul 07 '10 at 09:10