|
On 04/14/2015 12:41 PM, Gary Algier
wrote:
Hello,
I am in search of a tool to solve a new directory
server issue in relation to Active Directory...
For a long time here at work, we have had LDAP as our
authentication source and nsswitch source for Solaris
and Linux. First it was the Solaris DS, later the 389
DS. When AD came along we started using the Active
Directory sync tool to sync passwords from the AD
environment, but did not try to store all the Posix
attributes in AD. This has worked well.
Recently, our company was bought by another that is
implementing AD as the only allowed authentication
source. We will be assimilated. However, they
can't/won't store all the other stuff we need such as the
Ethernet addresses, automount points, etc. They also
won't sync passwords. It looks like we will still need a
"real" direstory server.
Does anyone have any ideas how to have two LDAP sources, one
used for authentication and possibly some user attributes,
group membership, etc. (AD) while using another (389?) for
the rest of the stuff?
Perhaps a mix of sync and PAM pass through auth. With PAM pass
through auth, you configure a PAM stack to authenticate to AD, then
configure 389 PAM passthrough auth to use that PAM stack for
authentication.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/pam-pta.html
Is there some sort of frontend proxy that can merge the DITs
from two stores on the backend? I seem to remember reading
that the later versions of the Solaris DS could do something
like this.
I don't even know what kind of tool I am asking for or I
might be able to search for it and answer my own question.
Any pointers would be appreciated.
Gary Algier
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
|
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
