Re: newbie question - LDAP and Active Directory

["Mark H. Wood" <mwood@IUPUI.Edu>]

On Thu, 9 May 2002, Dave Snoopy wrote:
[snip]
> Kerberos sounds like just the ticket (no pun
> intended).
> Has anyone ever tried this with with Win2k DCs before
> though?

I tested it before replying.  It works.  I have not (yet) used this combo
for any production work.

>         I heard that Microsoft Kerberos is not 100%
> compatible with the standard that open source software
> uses (e.g. MIT Kerberos).

The big issue was the secret TDATA that they use to glue the NT security
model onto the protocol.  That has now been published without the
restrictions which formerly made the documentation worthless.

The internals are still somewhat mysterious, but in most cases that
doesn't matter as much as interoperability.

> What Kerberos client would you recommend, and do you
> know how to integrate it with OpenLDAP? Is it just a
> compile option?

Well, at minimum you need kinit and kdestroy.  You'll want klist to check
your ticket cache during troubleshooting.  It's easiest to just download
the MIT source package and install everything, then ignore the server bits
if you don't want them.  I've not run Heimdal so I can't offer a
comparison to that.  I think there are a couple of commercial products
based on the MIT package but I haven't run them either.  Actually I mostly
just dabble in Kerberos for now -- other people are in charge of our
corporate authentication services.

This is going way offtopic for openldap-software.  Further discussion
should take place elsewhere.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".