Re: openldap with W2K

["Mark H. Wood" <mwood@IUPUI.Edu>]

On Thu, 12 Jul 2001, Jehan PROCACCIA wrote:
> I heard from microsoft people that W2K could not authenticate user from
> a directory other than AD !?. Authentication on W2K is kind of a black
> box (LSA) that is directly link to AD and could not be redirected to
> openldap for example. I heard also about problems with SID and other
> services that AD provides like profile managment ... that could not be
> served by other ldap directory .

Win2k/AD doesn't store the passwords in the DIT; it uses (lightly hacked0
Kerberos for authentication, including authentication for directory
access.  So it's quite similar to using OpenLDAP with only Kerberos
authentication accepted.

I hope that it's *extremely* similar, because I need to set up exactly
that for authenticating Win2k stations sometime soon.  I foresee a
chicken/egg problem in getting the first recognizable Win2k administrator
account created in the Kerberos database, due to the need for adding a
recognizable NT token to the entry, but after that things should Just
Work.

If your needs are less stringent, you can set up a mapping between
Kerberos principals and local accounts on Win2k boxes.  This is yucky
because you now have two account databases to maintain in parallel (N+1
databases if you have N workstations) but the upside is that Microsoft
will tell you how to do it.

The LDAP portion of the problem should be fairly straightforward.  The
trickiest bit I know of so far is that the only schema information I've
found for ADS is (a) not machine-readable and (b) wrong.  (Either that or
there is something really counterintuitive about some of the subclassing
they're doing.)

Anyway, further discussion of Win2k authentication ought to take place in
some Kerberos venue.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.