I need to set up an AD. The larger organisation I'm in has its own LDAP service which handles authentication and some other details. I would like to get AD to use that LDAP info just for authentication purposes. Is this possible?
I need to set up an AD. The larger organisation I'm in has its own LDAP service which handles authentication and some other details. I would like to get AD to use that LDAP info just for authentication purposes. Is this possible?
I honestly depends on how much time, expertise, and money you have to spend. FIM (Forefront Identity Manager) is a fine option if you're just looking to sync basic attributes, including username/pass. However that's not what my university does, we've always needed a bit more flexibility than IDM solutions have ever really offered, which is why we've developed our own in-house middleware written in perl using LDAPS. This allows us to script updates of what we want, when we want, and where we want with as much flexibility as we need. We also force all users to use a web portal for password changes, so that our directories do not get out of sync. We are currently syncing a SUN ONE LDAP system to our MS Active Directory and have been since 2002.
TL;DR If you're short on time and expertise, but not money use FIM it will do what you want. If not you're more than welcome to write your own middleware in coding language of choice to do the same thing.
The only way I know to do this is to create an LDAP-backed Kerberos system, and establish a Kerberos-trust between the non-Windows Kerberos realm and the Windows domain (which is also a Kerberos realm). The key steps:
Kerberos is the glue that allows AD to use an external LDAP server for authentication.
I've never done what you're describing, at least not with just LDAP and not in production.
AD domains are more than just authentication and require a lot more than just an LDAP directory to work, so I think you'd need to deploy Samba or something to make what you're describing happen (though you can get Samba to use LDAP as its backing store). I'm not sure what the state of Samba domain controllers is these days but I'd start looking here (samba.org docs).
I have gone the other way (making the LDAP stuff authenticate against AD & storing the "other stuff" in AD's LDAP store), and that's relatively easy -- I'd recommend this if at all practical, but without knowing more about your situation I can't say if it's the right move or not...
Microsoft FIM, previously ILM, will allow credential synchronization between LDAPs. You'll still need to run full-blown AD, but you can have it sync the credentials with the already existing LDAP. It should be transparent to the user.
This is my limited understanding, I've never had it working nor know anybody who has.
According to sparse MS documentation you can get AD in 2003+ to use a username and password from another LDAP server. But it still requires you to run a full "local" AD setup with accounts that are basically mapped to the LDAP accounts. It uses the inetOrgPerson object. Limited information is here, and even more "helpful" directions for creating the account are here.
As another poster mentioned, AD is much more than simple authentication and really doesn't play nice with competition like *nix LDAP.