[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: Active Directory Imitation

To: openldap-software@OpenLDAP.org
Subject: RE: Active Directory Imitation
From: Brian Arkills <brian@hansolo.stanford.edu>
Date: Fri, 25 Jan 2002 10:05:06 -0800
Hi Roger,

I'm very familiar with AD from the perspective of LDAP functionality. I've often wondered how possible it would be to imitate it with another LDAP server. From the beginning you'd have to accept that you probably won't be able to imitate Network Operating System functionalities that AD provides in addition to LDAP. For example, it would be very difficult to imitate the SID generation, and SID token generation that Windows users need for authorization to network resources. Additionally, you wouldn't immediately be able to give the other LDAP server, OpenLDAP in this case, LDAP functionality that AD supports. AD supports quite a bit of things that OpenLDAP doesn't yet, including a list of 16 LDAP server controls (e.g. server-side sorted search, dirsync to name a few). Some of these functionalities are the key to making other MS technology work correctly. For example, Exchange 2000 heavily relies on AD, and requires the dirsync control to operate correctly. MS does it's multi-master replication also using the dirsync control. Another problem could be the difference in default syntaxes AD requires. Most LDAP servers don't allow you to add syntaxes, and it is possible that there isn't a direct match.

Now all that said ... I think what you would like to try is very cool, and here are a couple resources which may be useful. 

In my random net surfing I came across this page at the U of Navarra: 
http://www.unav.es/cti/ldap-smb/ldap-smb-AD-schemas.html#AD_schemas
They apparently are trying to do exactly what you propose, and have quite a bit of their progress online. 

There is the online docs for the AD schema:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adschema/w2k.asp
142 object classes, 863 attributes by default.

If you have access to an AD, you can run LDIFDE.exe to dump the schema to LDIF. MS also has CSVDE.exe, which will dump to CSV format.

Finally, AD supports browsing the schema via LDAP, so if you point at any AD, you can discover the schema yourself. Look for entries of objectclass=classSchema or objectclass=attributeSchema at the DN:cn=Aggregate,cn=Schema,cn=Configuration,dc=mycompany,dc=com.

I hope this helps, Roger.

Regards,

Brian Arkills
Stanford University
-----------------------
"Integrity has the power to build trust. Trust is what fuels a relationship."
							John Maxwell
"The intelligent man is open to new ideas. In fact, he looks for them."
							Proverbs

> -----Original Message-----
> From: Roger Hyam [mailto:roger.hyam@sopheon.com]
> Sent: Friday, January 25, 2002 2:02 AM
> To: openldap-software@OpenLDAP.org
> Subject: Active Directory Imitation
> 
> 
> 
> Hi,
> 
> I am posting this just having joined the list so apologies if 
> it is off beam
> but I am working to quite short time scales just at the moment.
> 
> I am writing a little app in Java (JNDI) that queries LDAP 
> servers for user
> info and produces an XML file to be imported by another application.
> 
> I have written the app and tested against OpenLDAP and it 
> works fine. I now
> have to go through testing it against other LDAP servers. What I am
> wondering is if I can get OpenLDAP to imitate other servers 
> by setting it up
> with their default schemas. The main one I need to do this 
> for is Active
> Directory. Could I use the AD schema as the core schema in OpenLDAP.
> 
> If yes has anyone any idea of where I may get an Active 
> Directory schema
> file that I could load into OpenLDAP.
> 
> I'd like to do this method of testing before I get into 
> setting up a full
> test environment with two Win2K servers etc (yuk).
> 
> Any thoughts most appreciated.
> 
> Roger
>
Prev by Date: Re: LDBM or SQL
Next by Date: RE: ldap_add: Insufficient access
Index(es):
- Chronological
- Thread