The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

phiglit_missally: Jun 10, 2004; Mostly Harmless

I have an interesting problem.

I would like to replicate the user accounts from our AD user store, to an OpenLDAP, with passwords being translated into what a Unix client would query against. Do any of you fine people have a good website for walking through the process? I have done google search after google search, but all of the sites I have found are for consulting on doing this, or just posts/emails saying (in more words) "Keep them separate."

Any advice or sites you could recommend?

# ¿ Mar 24, 2007 17:47

Adbot: ADBOT LOVES YOU

# ¿ Apr 28, 2024 12:00

phiglit_missally: Jun 10, 2004; Mostly Harmless

mastahnke posted:

Couldn't you just use AD rather than replicate it into OpenLDAP? You can certainly make Linux boxes authenticate and authorize against AD.

I assume you have other good stuff in your OpenLDAP and that's why you want to use it? You could always have one source of data for authentication (AD) and one for other goodness.

Right. We do not have direct control over our AD in my office, due to being owned by a bigger company. We have a lot more stuff that needs an extended schema though. Without divulging to much, we run game servers, game development environments, and host a lot of services like a wiki, ticket tracking, lots of mysql databases, and unix logins for the entire building. I would rather keep the Unix/Linux side working the way it is through ldap, just because it is working. I would just like to migrate at least some of the windows user accounts with our unix side.

I don't really need active replication, but a script or something to migrate the first time would definatly help a lot. I can keep the user accounts fairly sync'd going forward, but inputting over 100 user records by hand, and getting the users to input a password is not something I would choose to do.

# ¿ Mar 25, 2007 19:00

phiglit_missally: Jun 10, 2004; Mostly Harmless

Postal posted:

Anyone know any good GUI frontends for Snort?

ACID
Its web based, and not exactly easy to setup, but it works like a champ once you do.

# ¿ Mar 30, 2007 02:47

phiglit_missally: Jun 10, 2004; Mostly Harmless

mastahnke posted:

Ok, so for user information use AD and for Applications use OpenLDAP? Yeah, I am not really answering the question, let me try this.

You won't be able to just dump the password out of AD and import it into OpenLDAP. The formats are not the same. You could run some kind of cracker against AD, but since you said your area doesn't own AD, you would probably get in trouble for that. So, time for more options.

Write a password change screen. When a user needs to change their password, intercept the change and then call the native openLDAP change and the AD change on the back end.

To import users from AD, use Perl, Python, PHP, C, whatever and just dump them via an LDAP search refined to whatever you needed.

Another option would be to use some sort of Metadirectory to populate certain attributes. As far as partial replication of just he user containers in AD to OpenLDAP, I am not sure it can be done. If it can, I don't have great answers on it. So, I may have just filled your thread with nothing. If so sorry. If not, cheers.

What I was thinking of doing, is put up a LDAP server with the schemas required to do a "full" replication of the AD using samba schema extensions, and just make all the applications use samba binding to authenticate with this LDAP server (password and lookup tags etc). I have never done this particular setup before, so its uncharted territory for me. If anyone has advice for this, help is welcome.

# ¿ Mar 30, 2007 16:51

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible