Extend your AD schema with SFU (http://www.microsoft.com/downloads/details.aspx?familyid=896C9688-601B-44F1-81A4-02878FF11778&displaylang=en). Use kerborse for authentication and nss_ldap for user information.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:linux-il- > [EMAIL PROTECTED] On Behalf Of Ohad Levy > Sent: Wednesday, December 26, 2007 3:22 AM > To: ILUG > Subject: Re: [YBA] NIS vs LDAP > > Hi, > > just my couple of cents: > > AD and Linux authentication works quite well, that means for > authentication only, you can use kerborse to authenitcate users that > you have on your AD. > > however, its quite important to know, that user id mapping will be done > via winbind (or maybe a mapping file), and as discussed, file > permissions in unix like fs are defined by the user and group id. > > so that could result in different machine having a different user ID > for the same user (very bad). > > you would still need to find a way to handle your autofs and other maps > which do not exist on ad (as far as I'm aware). > there is however a UNIX services for AD (which is somehow a NIS > implementation) but I'm not really sure if its active and or working. > > an alternative is to use openldap and AD (if ms environment is really > important for you) and than to create the same user names in both > environment, and sync the passwords (I'm not sure whats the tool name, > but one exists - just google for it). > of course this could be extended to delete the accounts when you remove > them from ad etc (using scripts). > > the last option - which is the best in my eyes for a small environment, > would be to use openldap (with replica) and on top using samba for the > windows users and native ldap for the rest. > > if your environment is bigger, consider using the fedora/redhat > directory server or sunone. > > Ohad > > > > On Dec 26, 2007 4:02 AM, Ariel Biener < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > wrote: > > > On Tuesday, 25 בDecember 2007 21:54, Shachar Shemesh wrote: > > There is one thing that everyone in this discussion seem to > have missed > > so far, and that is that AD *is* LDAP. > > > > Ariel Biener wrote: > > > Well, I wouldn't chose any of the above in the way it is > described. I > > > believe that MS AD is the best tool to use for Windows > environment, LDAP > > > is the best tool for a Linux environment > > > > Assuming that is the case (open to discussions), then open an > AD server > > and use it as an LDAP server for the non-Windows machines. > > > Sorry, despite MSs claim that their directory server is an > implementation of > LDAPv3, I find it often missing, non-standard and minimalist for > such > a claim. Given the choice (and I was actually given this choice > when I had > to chose which directory server to go for @TAU), I left AD to do > what it > is good at, that is, management and authentication in a windows > based environment, and I used a directory that is the most > proven, oldest, > and most extensible in the industry. It's called eDirectory. > Sun's directory > server is also an option. That are also others, which are not > bad. MS is > definetly not there, they came in late and have quite some > catching up > to do. > > > --Ariel > -- > Ariel Biener > e-mail: [EMAIL PROTECTED] > PGP: http://www.tau.ac.il/~ariel/pgp.html > <http://www.tau.ac.il/%7Eariel/pgp.html> > > > To unsubscribe, send mail to [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > >
