[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active Directory and LDAP

To: openldap-software@OpenLDAP.org
Subject: Re: Active Directory and LDAP
From: "Mark H. Wood" <mwood@IUPUI.Edu>
Date: Wed, 4 Jun 2003 11:36:33 -0500 (EST)
In-reply-to: <019701c32a39$9d0b45d0$566237cb@adeit02>
References: <019701c32a39$9d0b45d0$566237cb@adeit02>

I have ideas but haven't tried them out.  You're welcome to test them. :-)

First, rid yourself of the notion that OpenLDAP is going to provide
authentication services to ADS clients.  You need Kerberos 5 for that.
You didn't mention Kerberos, so perhaps you *are* using your directory
itself for authentication.  You'll need to change that and be sure
everything you already have working still works, before tackling ADS
clients.

You'll need specific SRV RRs in your DNS domain, so that ADS can find the
Kerberos and LDAP services it expects.  This is easy.  See the TechNet
article "DNS Requirements for Deploying Active Directory" and the
whitepaper _Windows 2000 Kerberos Authentication_.

You'll need to ensure that each Kerberos principal has the appropriate PAC
TDATA attached.  See the MSDN article "Utilizing the Windows 2000
Authorization Data in Kerberos Tickets for Access Control to Resources".
Be sure you set up a principal for the Domain Administrators group, one
for the top domain in your tree, and at least one user whose primary group
ID is Domain Administrators.  (I *think* that's how it works.)  You'll
need directory objects (of appropriate types) corresponding to those
principals, too.

You'll need to augment your LDAP schema with all of the objects and
attributes that ADS is expecting.  I haven't found a nice machine-readable
form for any of this, but I haven't looked recently.  The last time I
looked at MS' online documentation of the ADS schema, it had obvious
errors and wasn't very usable.

You'll need to create a few objects to instantiate an ADS tree and at
least one site.  There may be other stuff.  Whatever DCPROMO creates when
bootstrapping the initial site, that's what you need.  See the bit about
Kerberos above for some hints.

At this point you can try installing an ADS client into your tree and see
what breaks.  Remember, I never got anywhere near this far.

As you can see, most of the work isn't about LDAP at all, so
openldap-software is probably not the best place for further discussion
until you hit some question that is specific to OpenLDAP.  ldap@umich.edu
is a good place for general LDAP discussion.  For ADS iternals, prayer is
probably the most effective approach.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".

References:
- Active Directory and LDAP
  - From: "Adam Fox" <adam.fox@gribbles.com.au>

Prev by Date: problems with slurpd
Next by Date: OpenLdap 2.0.27 & FreeRadius
Index(es):
- Chronological
- Thread