1

I don't know much about Directory server or Windows Active Directory, I just wan't know the possibility of having a Windows Active directory and a Directory Server(say, Redhat DS or Fedora Directory Server) inter-operate.

I was checking at the Redhat Directory server, Windows Sync which lets Directory server to synchronize the user and group attributes from AD and handle authentication. I want to know if it is possible for the directory server to handle the group policies, GPO updates etc., and can Directory Server be used as a source for SSO ?

sabs6488
  • 151
  • 4

1 Answers1

2

I want to know if it is possible for the directory server to handle the group policies, GPO updates etc.,

What's the point of even having AD then? SAMBA 4 supposedly has full GPO support, but you'd be hard pressed to find many admins jumping to it at organizations with more than a handful of computers. I don't know of any way other than running AD (supported) or run SAMBA 4 (unsupported).

and can Directory Server be used as a source for SSO ?

It's all just Kerberos nowadays, so as long as your mystery application supports it, sure - but the harder part is getting a Windows client to get a Kerberos ticket and successfully negotiate the logon process from a non-AD (or non SAMBA) directory server. You really can't without a ton of unsupported hackery as far as I know.

What's the bottom line? Just use AD for your Windows clients and either use AD for your *nix, or keep your *nix directory server in sync with an identity management solution like Tivoli or FIM.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Well, the client is looking for a solution to reduce the cost on AD cal license and they are looking for a solution, to have only some of the users in AD and want other user's part of some opensource implementation and all the users should be part of same domain, as far as the computers goes, it is all going to be windows. Is it possible ? I may sound stupid, because I don't have any of the sysadmin experience and just doing a research. – sabs6488 Jan 02 '13 at 19:04
  • No, that's not possible. You're going to need to get rid of Windows Server entirely if you want to get rid of CALs. So either use a SAMBA 4 AD domain (which is a bad idea in most cases IMO and had been covered in plenty of other questions) or suck it up and pay the CALs and have **support** which means that if something breaks, you can call Microsoft - which you can't do with the situation that you're proposing. – MDMarra Jan 02 '13 at 19:06
  • thanks for clarification. sorry for not being so clear with the question. – sabs6488 Jan 02 '13 at 19:09
  • No problem. I understood the question just fine, no apologies needed - though in the future it's probably a good idea to include what the actual problem is that you're trying to solve (in this case, reduce the cost of CALs) – MDMarra Jan 02 '13 at 19:09
  • @sabs6488 Do your client a favor and advise them against what they're trying to do. You can either pay 4 figures for Windows CALs, or pay tens or even hundreds of thousands of dollars more for assorted techies to create and maintain a custom solution that won't work nearly as well. – HopelessN00b Jan 02 '13 at 19:15