OpenLDAP + User Authentication

Steve Rieger riegersteve at gmail.com
Tue Jan 31 18:40:56 UTC 2006 

i will top post on this..



being that i used to fly medevac to you, i will be a bit nicer than i  
usually am


anyways, you dont want to be importing the other ldap its not  
practical. and you cant really import the passwords from the other  
ldap server into yours.

i would do the following

ou=everyone,o=UMDNJ,c=US
and all people go into this ou,
then keep your users in the following, but point them all to the  
ou=everyone.

> ou=People,o=InformaticsInstitute,o=UMDNJ,c=US

> ou=People,o=research.umdnj.edu,o=umdnj.edu


now what you will want to do is set up one ldap server as the masterm  
and the other as the replica. they will sync up in near realtime.


any questions ask


the basedn shouuld be o=UMDNJ,c=US, and from there branch out,


On Jan 30, 2006, at 8:21 PM, Ryan Golhar wrote:

> I'm a little confused on how this is going to happen.  Here's what we
> have:
>
> First LDAP server has a base DN of:  
> o=InformaticsInstitute,o=UMDNJ,c=US
> Second LDAP server has a base DN of: o=research.umdnj.edu,o=umdnj.edu
>
> Some users will be unique to the first LDAP, other users will be  
> unique
> to the second LDAP, and some might overlap.  Here's an example of a  
> user
> the first LDAP directory and the second LDAP directory:
>
> uid=someuser,ou=People,o=InformaticsInstitute,o=UMDNJ,c=US
>
> uid=someuser,ou=People,o=research.umdnj.edu,o=umdnj.edu
>
> How am I going to combine these two directories into one?  Other than
> the base DN difference, the users are both in ou=People.  I could just
> dump all the users from one LDAP directory into the other, but I  
> want to
> make sure I'm doing things right.
>
> The other problem is that I doubt this other dept will grant us admin
> access to their ldap server and doubtful they will give up their ldap
> server to use ours.  I don't want to manage this stuff, so I'll go  
> with
> theirs.
>
> If we set up a separate tree on their server for our users, how can we
> add their users from "ou=People,o=research.umdnj.edu,o=umdnj.edu"  
> to be
> able to access our resources when our machines authenticate users from
> "ou=People,o=InformaticsInstitute,o=UMDNJ,c=US"?
>
> Am I thinking about this correctly?
>
> Ryan
>
>
> -----Original Message-----
> From: Bliss, Aaron [mailto:ABliss at preferredcare.org]
> Sent: Monday, January 30, 2006 8:07 PM
> To: job at ccbmail.ccbox.com; General Red Hat Linux discussion list;
> golharam at umdnj.edu
> Subject: RE: OpenLDAP + User Authentication
>
>
> It really isn't very efficient attempting to maintain two separate
> directories; shame on the other department for setting up that other
> ldap server; best thing to do is to reconcile user and groups to 1  
> ldap
> server and migrate the member servers that are authenticating against
> the rogue ldap sever to yours after reconciling both.
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Job Cacka
> Sent: Monday, January 30, 2006 7:47 PM
> To: golharam at umdnj.edu; General Red Hat Linux discussion list
> Subject: RE: OpenLDAP + User Authentication
>
> It may be possible to accomplish this, but you have a bigger problem
> than that. Who is ultimately responsible for your network? They should
> be the one that should have the authority to fix this. If No One  
> person
> is sresponsible for Network services then you will have many problems
> like this in the future.
>
> Alternatively, You have a few choices.
> 1. Do what you propose = Alot of work and research and it may not be a
> success 2. Combine the two LDAP servers into one server with two trees
> make sure to use the least expensive non-proprietary server. 3.  
> Install
> two routers and break the departments out of the sharing the same
> network. This is only cost effective if it prevents problems like this
> in the future. It may break other services too.
>
> BTW shame on the other guy for not checking the services that were
> running first before installing the same one. How many resources  
> did he
> waste of the organizations' time and money by not doing his homework.
>
> Job Cacka
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com]On Behalf Of Ryan Golhar
> Sent: Monday, January 30, 2006 1:45 PM
> To: 'General Red Hat Linux discussion list'
> Subject: OpenLDAP + User Authentication
>
>
> I have an LDAP server which I'm using to authenticate my users from.
> Recently, another dept here put their own LDAP server in place with a
> different set of users that may/may not be in my LDAP.
>
> What I'd like to do is have my machines attempt to authenticate a user
> from my LDAP, and if the user doesn't exist, have the LDAP refer to  
> the
> other dept's LDAP server.  Is this possible with LDAP?  If so, can
> anyone point me to where I can read up on this?  I found a little
> information on superior referrals, but no detailed information on  
> how it
> works.
>
> Ryan
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
> www.preferredcare.org
> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
> Power and Associates
>
> Confidentiality Notice:
> The information contained in this electronic message is intended  
> for the
> exclusive use of the individual or entity named above and may contain
> privileged or confidential information.  If the reader of this message
> is not the intended recipient or the employee or agent responsible to
> deliver it to the intended recipient, you are hereby notified that
> dissemination, distribution or copying of this information is
> prohibited.  If you have received this communication in error, please
> notify the sender immediately by telephone and destroy the copies you
> received.
>



--
Steve Rieger
riegersteve at gmail.com
310-339-4355
yahoo  = riegersteve
icq        = 53956607
Ride Free, Ride On, Ride Safe


I had the blues because I had no shoes until upon the street, I met a  
man who had no feet.

Biker Blue

More information about the redhat-list mailing list