Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Thank you for your help.
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
Thank you for your help.
-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
Have a nice day!
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? I have to keep my actual LDAPand remain the master and synchronization must be a single direction (LDAP -> AD). Willusers have to change their password? My goal is that everything will be transparent. regards
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes. https://access.redhat.com/site/documentation/en-US/Red_ Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
Have a nice day!
-- Petr^2 Spacek
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAPand remain the master and synchronization must be a single direction (LDAP -> AD).
389 supports one way sync.
Willusers have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr suggested.
regards
2014/1/16 Petr Spacek <pspacek@redhat.com mailto:pspacek@redhat.com>
On 16.1.2014 15:59, Rich Megginson wrote: On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote: Hello, Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ... See http://www.freeipa.org/page/Trusts or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users Have a nice day! -- Petr^2 Spacek -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain....
2014/1/16 Rich Megginson rmeggins@redhat.com
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD).
389 supports one way sync.
Will users have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr suggested.
regards
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
Have a nice day!
-- Petr^2 Spacek
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- Louis-Marie Plumel louismarie.plumel@gmail.com
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 16.1.2014 16:55, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain....
Could you describe what are you trying to achieve?
What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else?
Petr^2 Spacek
2014/1/16 Rich Megginson rmeggins@redhat.com
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD).
389 supports one way sync.
Will users have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr suggested.
regards
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/...
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
My environment is 99 % under linux and authentication is full LDAP. For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD). LM
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 16:55, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain....
Could you describe what are you trying to achieve?
What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else?
Petr^2 Spacek
2014/1/16 Rich Megginson rmeggins@redhat.com
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD).
389 supports one way sync.
Will users have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr suggested.
regards
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello,
Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not.
Yes.
https://access.redhat.com/site/documentation/en-US/Red_ Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
--
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 01/16/14 11:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP. For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD). LM
I installed the Windows password sync from the 389DS project on our DCs and it works with the Sun/Solaris/Java directory server just fine. It should work with any LDAP server.
However: 1. The Windows DCs will be the master of the passwords. Users will need to change their passwords in that environment. 2. It must be installed on all DCs as you never know which DC the Windows client will send the change to. 3. You may need to adjust the parameters of the module by editing the registry after installation. The default attributes did not suit our needs. We use the UID attribute for the LDAP equivalent of the Windows SamAccountName attribute.
2014/1/16 Petr Spacek <pspacek@redhat.com mailto:pspacek@redhat.com>
On 16.1.2014 16:55, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain.... Could you describe what are you trying to achieve? What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else? Petr^2 Spacek 2014/1/16 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD). 389 supports one way sync. Will users have to change their password? Yes, unfortunately. My goal is that everything will be transparent. Then you may want to look into IPA with AD cross domain trust as Petr suggested. regards 2014/1/16 Petr Spacek <pspacek@redhat.com <mailto:pspacek@redhat.com>> On 16.1.2014 15:59, Rich Megginson wrote: On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote: Hello, Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ... See http://www.freeipa.org/page/Trusts or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
1. The Windows DCs will be the master of the passwords. Users will need to change their passwords in that environment.
Not true, the password synchronization is based upon certain attributes in the database. 389 will only sync to AD if the ntuser objectClass is available, and AD, it's posixAccount? iirc.
2. It must be installed on all DCs as you never know which DC the Windows client will send the change to.
Nope, it's a single point of failure, it must be installed onto *ONE* DC otherwise they will be overwriting each other.
3. Right that is a limitation, but there are bad workarounds for it. You can modify and create a pointer from SamAccountname to UID in the AD schema, but the UID will be UID in 389, does your application point to AD or 389?
As Petr stated, I do suggest looking at IdM/IPA as an alternative solution because it contains the compat tree for legacy applications and RHEL7/Fedora it currently supports a trust which will then negate having AD users change their passwords. Just make sure you have fully redundant IPA and AD servers so authentication will not break.
Dan
On 01/16/2014 12:08 PM, Gary Algier wrote:
On 01/16/14 11:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP. For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD). LM
I installed the Windows password sync from the 389DS project on our DCs and it works with the Sun/Solaris/Java directory server just fine. It should work with any LDAP server.
However:
- The Windows DCs will be the master of the passwords. Users will
need to change their passwords in that environment. 2. It must be installed on all DCs as you never know which DC the Windows client will send the change to. 3. You may need to adjust the parameters of the module by editing the registry after installation. The default attributes did not suit our needs. We use the UID attribute for the LDAP equivalent of the Windows SamAccountName attribute.
2014/1/16 Petr Spacek <pspacek@redhat.com mailto:pspacek@redhat.com>
On 16.1.2014 16:55, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain.... Could you describe what are you trying to achieve? What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else? Petr^2 Spacek 2014/1/16 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD). 389 supports one way sync. Will users have to change their password? Yes, unfortunately. My goal is that everything will be transparent. Then you may want to look into IPA with AD cross domain trust as Petr suggested. regards 2014/1/16 Petr Spacek <pspacek@redhat.com <mailto:pspacek@redhat.com>> On 16.1.2014 15:59, Rich Megginson wrote: On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote: Hello, Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ... See http://www.freeipa.org/page/Trusts or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Dan Lavu wrote:
- The Windows DCs will be the master of the passwords. Users will need
to change their passwords in that environment.
Not true, the password synchronization is based upon certain attributes in the database. 389 will only sync to AD if the ntuser objectClass is available, and AD, it's posixAccount? iirc.
- It must be installed on all DCs as you never know which DC the
Windows client will send the change to.
Nope, it's a single point of failure, it must be installed onto *ONE* DC otherwise they will be overwriting each other.
The passsync service needs to be installed onto ALL DCs for the reason state: you don't know which one will get the password change. This intercepts the cleartext password and sends it over SSL to the 389-ds server where it can then hash it.
- Right that is a limitation, but there are bad workarounds for it. You
can modify and create a pointer from SamAccountname to UID in the AD schema, but the UID will be UID in 389, does your application point to AD or 389?
As Petr stated, I do suggest looking at IdM/IPA as an alternative solution because it contains the compat tree for legacy applications and RHEL7/Fedora it currently supports a trust which will then negate having AD users change their passwords. Just make sure you have fully redundant IPA and AD servers so authentication will not break.
Dan
On 01/16/2014 12:08 PM, Gary Algier wrote:
On 01/16/14 11:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP. For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD). LM
I installed the Windows password sync from the 389DS project on our DCs and it works with the Sun/Solaris/Java directory server just fine. It should work with any LDAP server.
However:
- The Windows DCs will be the master of the passwords. Users will
need to change their passwords in that environment. 2. It must be installed on all DCs as you never know which DC the Windows client will send the change to. 3. You may need to adjust the parameters of the module by editing the registry after installation. The default attributes did not suit our needs. We use the UID attribute for the LDAP equivalent of the Windows SamAccountName attribute.
2014/1/16 Petr Spacek <pspacek@redhat.com mailto:pspacek@redhat.com>
On 16.1.2014 16:55, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain.... Could you describe what are you trying to achieve? What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else? Petr^2 Spacek 2014/1/16 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD). 389 supports one way sync. Will users have to change their password? Yes, unfortunately. My goal is that everything will be transparent. Then you may want to look into IPA with AD cross domain trust as Petr suggested. regards 2014/1/16 Petr Spacek <pspacek@redhat.com <mailto:pspacek@redhat.com>> On 16.1.2014 15:59, Rich Megginson wrote: On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote: Hello, Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ... See http://www.freeipa.org/page/Trusts or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 01/16/14 14:43, Dan Lavu wrote:
- The Windows DCs will be the master of the passwords. Users will need to
change their passwords in that environment.
Not true, the password synchronization is based upon certain attributes in the database. 389 will only sync to AD if the ntuser objectClass is available, and AD, it's posixAccount? iirc.
If one is using 389DS, that may be true, but using it with a "generic" LDAP implementation one must do the change in the Windows universe. In this case the desire seems to be to use OpenLDAP, not change the LDAP implementation.
- It must be installed on all DCs as you never know which DC the Windows
client will send the change to.
Nope, it's a single point of failure, it must be installed onto *ONE* DC otherwise they will be overwriting each other.
No, the password sync code gets the password while it is still plain text and syncs to the LDAP server. Once a Windows AD server saves the password it has been hashed and is replicated to the other Windows AD servers in hashed format. The replicas cannot resubmit it to the password sync code.
Just to clarify, I am talking about the password sync documented here: http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Installing_PassSyn...
The registry change I made (after installing) was: [HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync] "User Name Field"="uid"
- Right that is a limitation, but there are bad workarounds for it. You can
modify and create a pointer from SamAccountname to UID in the AD schema, but the UID will be UID in 389, does your application point to AD or 389?
As Petr stated, I do suggest looking at IdM/IPA as an alternative solution because it contains the compat tree for legacy applications and RHEL7/Fedora it currently supports a trust which will then negate having AD users change their passwords. Just make sure you have fully redundant IPA and AD servers so authentication will not break.
Dan
On 01/16/2014 12:08 PM, Gary Algier wrote:
On 01/16/14 11:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP. For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD). LM
I installed the Windows password sync from the 389DS project on our DCs and it works with the Sun/Solaris/Java directory server just fine. It should work with any LDAP server.
However:
- The Windows DCs will be the master of the passwords. Users will need to
change their passwords in that environment. 2. It must be installed on all DCs as you never know which DC the Windows client will send the change to. 3. You may need to adjust the parameters of the module by editing the registry after installation. The default attributes did not suit our needs. We use the UID attribute for the LDAP equivalent of the Windows SamAccountName attribute.
2014/1/16 Petr Spacek <pspacek@redhat.com mailto:pspacek@redhat.com>
On 16.1.2014 16:55, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain.... Could you describe what are you trying to achieve? What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else? Petr^2 Spacek 2014/1/16 Rich Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote: Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers? Not sure what you mean here. I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD). 389 supports one way sync. Will users have to change their password? Yes, unfortunately. My goal is that everything will be transparent. Then you may want to look into IPA with AD cross domain trust as Petr suggested. regards 2014/1/16 Petr Spacek <pspacek@redhat.com <mailto:pspacek@redhat.com>> On 16.1.2014 15:59, Rich Megginson wrote: On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote: Hello, Actually , i work with openldap. I've installed an AD 2008 R2.My challenge is to work with both and synchronise LDAP and AD 2008 R2. After a long research on the web, i don't find any information about howto synchronise passwords . That's why i come here to see if with 389 DS it's possible or not. Yes. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ... See http://www.freeipa.org/page/Trusts or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- Louis-Marie Plumel louismarie.plumel@gmail.com mailto:louismarie.plumel@gmail.com
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 16.1.2014 17:07, Louis-Marie Plumel wrote:
My environment is 99 % under linux and authentication is full LDAP.
You are a lucky man! :-)
For some 30 workstations under windows, i had to create an AD under 2008 R2. For some reasons, i have to synchronize password beetween LDAP and AD. Linux users will keep authentication on LDAP. (windows users are on LDAP AND AD, and if they want to change their password, they have to do this on LDAP. That's why i want to synchronise their password beetween LDAP and AD).
In that case you can use either 389 password synchronization (which is simpler for initial configuration, I guess) or upcoming version of FreeIPA (v3.4).
=== Beginning of FreeIPA advertisement === :-D
FreeIPA is more heavy-weight but in long term it will ease you administration of Linux machines.
With FreeIPA, you will have all your users in LDAP (FreeIPA's LDAP server) and on the Windows workstation you will specify username as user@LINUXDOMAIN with password used for LDAP/Kerberos and that combination will allow you log-in.
Nothing will be copied to AD but the authentication request will be routed from Windows machine to FreeIPA server, the authentication will happen on the Linux side, and the result of authentication will be sent back to the Windows machine.
=== End of FreeIPA advertisement === :-D
Have a nice day!
Petr^2 Spacek
LM
2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 16:55, Louis-Marie Plumel wrote:
Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
Is my actual LDAP can be used by 389DS? I'm sorry for these requests i'm novice in this domain....
Could you describe what are you trying to achieve?
What is the use case? Logging to workstations? To web apps? File sharing over NFS with centralized identity store? What else?
Petr^2 Spacek
2014/1/16 Rich Megginson rmeggins@redhat.com
On 01/16/2014 08:12 AM, Louis-Marie Plumel wrote:Ok ok, i'm going to see what you sent to me . To be sure, is 389DS may be an intermediate between my two actual servers?
Not sure what you mean here.
I have to keep my actual LDAP and remain the master and synchronization must be a single direction (LDAP -> AD).
389 supports one way sync.
Will users have to change their password?
Yes, unfortunately.
My goal is that everything will be transparent.
Then you may want to look into IPA with AD cross domain trust as Petr suggested.
regards2014/1/16 Petr Spacek pspacek@redhat.com
On 16.1.2014 15:59, Rich Megginson wrote:
On 01/16/2014 07:57 AM, Louis-Marie Plumel wrote:
Hello, > > Actually , i work with openldap. > I've installed an AD 2008 R2.My challenge is to work with both and > synchronise LDAP and AD 2008 R2. After a long research on the web, i > don't > find any information about howto synchronise passwords . That's why i > come > here to see if with 389 DS it's possible or not. > > Yes.
https://access.redhat.com/site/documentation/en-US/Red_ Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync.html
There is also one completely different option: Use trust between AD and Unix domain. It depends on your requirements ...
See http://www.freeipa.org/page/Trusts
or join mailing list https://www.redhat.com/mailman/listinfo/freeipa-users
389-users@lists.fedoraproject.org
-
Dan Lavu -
Gary Algier -
Louis-Marie Plumel -
Petr Spacek -
Rich Megginson -
Rob Crittenden