[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active Directory to OpenLDAP

To: Tobias Rice <rice@up.edu>, openldap-software@OpenLDAP.org
Subject: Re: Active Directory to OpenLDAP
From: Dave Snoopy <kingsnoopy7@yahoo.com>
Date: Thu, 29 May 2003 16:10:26 -0700 (PDT)
In-reply-to: <3ED686CC.2000202@up.edu>

You can use the OpenLDAP "ldapsearch" tool to do a lot
of the work. First, compile it with Kerberos. Use
kinit to get yourself a ticket as someone in the
Windows domain. Make sure that your krb5.conf file has
these lines in the [libdefaults] section:

  default_etypes = des-cbc-crc
  default_etypes_des = des-cbc-crc

Install Heimdal on your machine, and Cyrus SASL.
Compile ldapsearch to be heimdal and SASL aware (this
can sometimes be a pain, but it's doable). After doing
a kinit, tell ldapsearch to bind to the Windows DC
using SASL. It should automatically pick the GSSAPI
(aka Kerberos) mechanism, and you'll be in. From there
it's just a matter of doing the right queries against
ADS, such as "(objectCategory=user)".

For a simpler approach though, you might just want to
create a Perl script on your PDC and run it as admin,
which will dump all of your users and groups to a
file. You could then write a corresponding Perl script
to parse the file and turn it into an ldif file, which
you could use to insert the users into your LDAP
server.

Of course, obtaining the Windows passwords or password
hashes is not achievable using either of these
methods.

Good luck,
Dave

--- Tobias Rice <rice@up.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> In our quest for a unified login, we're pursuing
> what we think is the
> most compatible authentication method: LDAP. Our
> biggest obstacle
> thus far is getting the data from our Windows domain
> (2k Active
> Directory) to the OpenLDAP servers. Has anyone
> successfully
> accomplished this? Any advice or suggestions would
> be greatly
> appreciated.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2 - not licensed for commercial
> use: www.pgp.com
> 
>
iQA/AwUBPtaGv8NinOuDXR1bEQLnAACfdyJ+sYqvIkhMEFn9SQitAC5YsA0AoNBQ
> jeal5dyvzGgh97i/FL9KXXhG
> =U3ld
> -----END PGP SIGNATURE-----
> 

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

References:
- Active Directory to OpenLDAP
  - From: Tobias Rice <rice@up.edu>

Prev by Date: How are Kerberos realms usually related to LDAP DCs?
Next by Date: Re: groupOfNames and posixGroup
Index(es):
- Chronological
- Thread