Re: LDAP and Active Directory

["Mark H. Wood" <mwood@IUPUI.Edu>]

This is becoming a FAQ.

Microsoft's Active Directory Service is composed of two separate
components, even though they come all wrapped up together.

The directory proper stores objects in an X.500-like hierarchy.  It is
accessible through LDAP, and also through the proprietary ADSI.  If a
client (e.g. Exchange) manipulates objects through LDAP then OpenLDAP
might be able to serve as a replacement for the directory portion of ADS.
I am not aware of anyone who has done so.

The other component is authentication, which is handled by a somewhat
hacked Kerberos.  An LDAP server is not enough; you need a Kerberos KDC as
well, and the LDAP server should use Kerberos for authentication when
doing access control.  Microsoft has implemented a proprietary 'tdata'
blob as part of the principal, to tie the existing NT security model into
Kerberos.  Last I heard, they were not saying what the value represents,
although my guess would be that it is a list of SIDs.  You have to know
how to generate an acceptable value for this tdata in order to make a
principal which is fully functional w.r.t. ADS authentication.  I don't
know of anyone who has done this either.

Since Exchange predates ADS, it probably uses ADSI rather than LDAP --
perhaps even a downlevel version of ADSI.  It may be possible to make an
adaptation layer of some sort to make it play with LDAP, but again I don't
know of anyone who has done this.

There are some other bits required to make a host recognizable as an ADS
server.  Mostly they are DNS glue pointing to the KDC and the directory
service, so that clients can find them.  These *are* documented in some MS
whitepaper that I don't have nearby at the moment.  To round out the set,
you need Dynamic DNS and a DHCP server which uses it, although these may
not be strictly required.  (You can get these last from ISC, though the
DDNS bits may still be somewhat experimental.)

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.