"Hybrid Directory Services"?

Posted:
in Genius Bar edited January 2014
I have a small, simple FTP server running on OS X 10.2.8 (Jaguar). It is not part of a directory system. All accounts are local (OD/NetInfo). I have about 100 users who connect. 50 of the users are internal users on my LAN. They connect over AFP. The other 50 are clients who hit my FTP server from the Internet (Customers using FTP software). These external users are a mix of PC and Mac users. All my other OS X servers that I admin are all bound to Active Directory, except for this FTP box. Managing the 10.2.8 FTP server's client accounts is a chore, since it is not in AD with the other servers. Can guess where I am going with this topic?



Here is the nuts and bolts of my situation:



I am going to upgrade the FTP server to 10.3.7 (Panther) soon. Once I get the FTP server upgraded to Panther, I plan on integrating the FTP server into my Active Directory environment with my other OS X servers. My big challenge will be dealing with duplicate directory account entries: The 50 LAN Mac users who hit my FTP server already have local NetInfo accounts, and those same users also exist in AD as well. what will happen when I bind the FTP server to AD? What will happen to users on my LAN who try and connect to the FTP server? I assume the FTP server will try and authenticate the users according to the settings in my Directory Access app?



My goal, of course is to kill off the OD/NetInfo accounts for the LAN Mac users, and use their AD credentials to authenticate. Remember the 50 external FTP accounts (the customers who are accessing my FTP server from the Internet)? I want to KEEP them in OD/NetInfo and NOT in AD. Is it OK to separate users into 2 distinct directories? To me this seems like a great idea: Keep the external, non-employee accounts in OD/NetInfo and keep the localized Domain users in AD. Right? I haven't mix-n-matched directory services before, so I am a little nervous of the results. Is it possible?



The other big issue I foresee? Groups. I have a lot of fairly complicated Groups on my FTP server in NEtInfo. IS it possible to put an AD user into a localized OD/ Netinfo Group? I really don't want to screw-up my share points group permissions if I can avoid it.



Has anyone every done a directory "migration" or "hybrid" user/group structure like this? I would appreciate any help or suggestions. Im in no hurry to do this, so I can plan it out as much as I need to.
Sign In or Register to comment.