Re: Active directories and OpenLDAP

["Mark H. Wood" <mwood@IUPUI.Edu>]

On Fri, 18 May 2001, Mohammad Akram Ali Mehkri wrote:
> i just wanted to know if i can replace active
> directories with OpenLDAP running on Linux and let
> services on M$ access the LDAP server and not know the
> difference - specially Exchange

I have not done this, but I've investigated it a bit.  I believe it is
doable.  (I hope so, because I may get to do this myself before the year
is out.)

The first thing you should know is that no LDAP server can completely
replace ADS.  You also need Kerberos V, a whole raft of DNS entries, and a
DNS server which accepts dynamic updates.  There are MS TechNet articles
and whitepapers which can help you sort it out:

"DNS Requirements for Deploying Active Directory"
_Windows 2000 DNS_
_Windows 2000 Kerberos Authentication_
_Windows 2000 Kerberos Interoperability_

Microsoft has defined some additional Kerberos data which is causing a bit
of controversy in the Kerberos community.  I think it is much more
significant in an environment where ADS and other services must
interoperate, than one in which ADS is wholly replaced by a similar bundle
of services.  There may be a chicken/egg problem to be faced in setting up
the first DC in a domain tree, but once that is accomplished I think that
Kerberos will not care what is in the data and ADS clients will know what
to do with them.

The LDAP service should be more straightforward.  The main problem here, I
think, will be that the code has been racing ahead of the documentation.

On the DNS front, it looks to me as though BIND 9 can do the job, but
again I haven't actually built and tested anything.

Note also that *interoperability* is different from *replacement*.  I
haven't found a Microsoft document which will tell you exactly what you
need to do.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.