On 16.1.2014 17:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP.
You are a lucky man! :-)
For some 30 workstations under windows, i had to create an AD under 2008
R2. For some reasons, i have to synchronize password beetween LDAP and AD.
Linux users will keep authentication on LDAP. (windows users are on LDAP
AND AD, and if they want to change their password, they have to do this on
LDAP. That's why i want to synchronise their password beetween LDAP and AD).
In that case you can use either 389 password synchronization (which is simpler
for initial configuration, I guess) or upcoming version of FreeIPA (v3.4).
=== Beginning of FreeIPA advertisement === :-D
FreeIPA is more heavy-weight but in long term it will ease you administration
of Linux machines.
With FreeIPA, you will have all your users in LDAP (FreeIPA's LDAP server) and
on the Windows workstation you will specify username as user@LINUXDOMAIN with
password used for LDAP/Kerberos and that combination will allow you log-in.
Nothing will be copied to AD but the authentication request will be routed
from Windows machine to FreeIPA server, the authentication will happen on the
Linux side, and the result of authentication will be sent back to the Windows
machine.
=== End of FreeIPA advertisement === :-D
Have a nice day!
Petr^2 Spacek
LM
2014/1/16 Petr Spacek <pspacek@xxxxxxxxxx>
On 16.1.2014 16:55, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may
be an
intermediate between my two actual servers?
Not sure what you mean here.
Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm
novice in this domain....
Could you describe what are you trying to achieve?
What is the use case? Logging to workstations? To web apps? File sharing
over NFS with centralized identity store? What else?
Petr^2 Spacek
2014/1/16 Rich Megginson <rmeggins@xxxxxxxxxx>
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may
be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAP and remain the master and
synchronization must
be a single direction (LDAP -> AD).
389 supports one way sync.
Will users have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr
suggested.
regards
2014/1/16 Petr Spacek <pspacek@xxxxxxxxxx>
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap.
I've installed an AD 2008 R2.My challenge is to work with both and
synchronise LDAP and AD 2008 R2. After a long research on the web, i
don't
find any information about howto synchronise passwords . That's why i
come
here to see if with 389 DS it's possible or not.
Yes.
https://access.redhat.com/site/documentation/en-US/Red_
Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html
There is also one completely different option: Use trust between AD
and
Unix domain. It depends on your requirements ...
See
http://www.freeipa.org/page/Trusts
or join mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Petr^2 Spacek
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
