Re: ADSI distributed queries CONVERT failures w/ OpenLDAP

[Norbert Klasen <klasen@zdv.uni-tuebingen.de>]

> Egor Shokurov wrote:
> 
> Hello
> Our team is in the process of making decision on which
> LDAP server and access method to use for the ongoing
> project.
> 
> Alternatives for the server are:
> - MS Active Directory
> - Open LDAP
> - Netscape Directory

If you need some more candidates:
- IBM Secure Way Directory
- Novell eDirectory

> Client side should run on NT/w2k, variants I can think of are:
> - OpenLDAP C API
> - MS ADSI
> - MS Winldap
> - Netscape C LDAP API
> - MS ADSI through OLE DB

Both IBM and Novell offer C and Java libraries.
 
> I see that at least one person have problems connecting ADSI to
> OpenLDAP. Is there any other comment on compatibility of products
> above ? Maybe any useability/performance suggestions ?

If you want to use GSSAPI as authentication mechanism you might run into
some problems with AD:
- server side: AD ignores buffer sizes (for privacy protection)
negotiated by GSSAPI. 
- wldap32.lib clients: OID encoding for GSS-KRB5 method is wrong in
GSS-SPNEGO (workaround: use ldap_set_option to use GSSAPI directly)
- wldap32.lib clients: the service principal used is LDAP/host@REALM,
but should be ldap/host@REALM (rfc2829, 11.)

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen              http://www.directory.dfn.de
Germany                             norbert.klasen@zdv.uni-tuebingen.de