Good Morning,
I'm afraid my Google-fu is failing me, this morning. Synchronizing 389-ds with Active Directory is well understood.[1] However, for various non-technical reasons, I won't be able to do that for this environment.
What I need 389-ds to do is receive an ID/Auth requests from an LDAP client, forward that request into the AD environment, and then pass the response back to the end client. I suppose I would be tasking 389-ds to act as an AD proxy server, without doing full synchronization.
For bonus points, I will be loading sudoers information[2] into 389-ds and using it for *nix privilege authorization. So, "ou=SUDOers,dc=example,dc=com" would be locally served, while "ou=People,dc=example,dc=com" and "ou=Groups,dc=example,dc=com" would be forwarded. (My SudoUser attributes will use user and group names returned from AD.)
Is using 389-ds as a AD proxy documented somewhere? Am I just not finding it?
Thanks! David
[1] - http://directory.fedoraproject.org/wiki/Howto:WindowsSync [2] - http://www.sudo.ws/sudoers.ldap.man.html
--
David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
Werner Heisenberg is driving down the autobahn. A police officer pulls him over. The officer says, "Excuse me, sir, do you know how fast you were going?" "No," replies Dr. Heisenberg, "but I know where I am."
Ah-ha! It's all in the wording.
Once I got a clue to search on "database chaining," I found the right docs...
db
On Mar 12, 2013, at 09:46, David Barr dafydd@dafydd.com wrote:
Good Morning,
I'm afraid my Google-fu is failing me, this morning. Synchronizing 389-ds with Active Directory is well understood.[1] However, for various non-technical reasons, I won't be able to do that for this environment.
What I need 389-ds to do is receive an ID/Auth requests from an LDAP client, forward that request into the AD environment, and then pass the response back to the end client. I suppose I would be tasking 389-ds to act as an AD proxy server, without doing full synchronization.
For bonus points, I will be loading sudoers information[2] into 389-ds and using it for *nix privilege authorization. So, "ou=SUDOers,dc=example,dc=com" would be locally served, while "ou=People,dc=example,dc=com" and "ou=Groups,dc=example,dc=com" would be forwarded. (My SudoUser attributes will use user and group names returned from AD.)
Is using 389-ds as a AD proxy documented somewhere? Am I just not finding it?
Thanks! David
[1] - http://directory.fedoraproject.org/wiki/Howto:WindowsSync [2] - http://www.sudo.ws/sudoers.ldap.man.html
--
David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
Werner Heisenberg is driving down the autobahn. A police officer pulls him over. The officer says, "Excuse me, sir, do you know how fast you were going?" "No," replies Dr. Heisenberg, "but I know where I am."
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
--
David - Offbeat http://dafydd.livejournal.com dafydd - Online http://pgp.mit.edu/ Battalion 4 - Black Rock City Emergency Services Department Integrity*Commitment*Communication*Support
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
Rene Descartes walks into his neighborhood watering hole. The publican sees him and asks, "Will you have your usual, sir?"
Descartes ponders a moment and replies, "I think not."
And promptly disappears...
389-users@lists.fedoraproject.org