RE: Win2k domain authing against Linux OpenLDAP

[David Mandala <David.Mandala@DevelopOnline.com>]

Might also look at the SAMBA project v2.2 which is in developoment right
now. We are attaching SAMBA to OpenLDAP and using SAMBA as a PDC and running
W2K with that.

-----Original Message-----
From: Luke Howard [mailto:lukeh@PADL.COM]
Sent: Saturday, September 01, 2001 4:44 AM
To: rharris@raindance.com
Cc: openldap-software@OpenLDAP.org; nicolas.williams@ubsw.com
Subject: Re: Win2k domain authing against Linux OpenLDAP



>  I've about got my OpenLDAP server working for Solaris and Linux.  Part of
>the company is using windows, most migrating to 2k soon.  Nothing I can do
>about this so it is out of my hands.  
>
>  At any rate, we want those to authenticate against the OpenLDAP also.
The
>windows guy
>is saying he is finding alot of docs saying it can't be done.  He is
pushing
>for an ADS server authentication to be master for everything and throw the
>LDAP out.  

You can't replace a native mode W2K domain controller with one running
OpenLDAP. It is possible in theory but a lot of work would need to be
done.

A good way to start would be to implement the Microsoft-specific LDAP
matching rules, extended operations, and controls, and to add CLDAP
support at least for reading the root DSE. Then I would try and import
the data from an Active Directory server, update the LDAP SRV record
for a domain to point to the OpenLDAP server, and see what blows
up.

Actual _authentication_ is another matter entirely, this would require
a Kerberos KDC with support for Microsoft's proprietary PAC.

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com