[Date Prev][Date Next]
Re: LDAP and Active Directory
This is becoming a FAQ.
Microsoft's Active Directory Service is composed of two separate
components, even though they come all wrapped up together.
The directory proper stores objects in an X.500-like hierarchy. It is
accessible through LDAP, and also through the proprietary ADSI. If a
client (e.g. Exchange) manipulates objects through LDAP then OpenLDAP
might be able to serve as a replacement for the directory portion of ADS.
I am not aware of anyone who has done so.
The other component is authentication, which is handled by a somewhat
hacked Kerberos. An LDAP server is not enough; you need a Kerberos KDC as
well, and the LDAP server should use Kerberos for authentication when
doing access control. Microsoft has implemented a proprietary 'tdata'
blob as part of the principal, to tie the existing NT security model into
Kerberos. Last I heard, they were not saying what the value represents,
although my guess would be that it is a list of SIDs. You have to know
how to generate an acceptable value for this tdata in order to make a
principal which is fully functional w.r.t. ADS authentication. I don't
know of anyone who has done this either.
Since Exchange predates ADS, it probably uses ADSI rather than LDAP --
perhaps even a downlevel version of ADSI. It may be possible to make an
adaptation layer of some sort to make it play with LDAP, but again I don't
know of anyone who has done this.
There are some other bits required to make a host recognizable as an ADS
server. Mostly they are DNS glue pointing to the KDC and the directory
service, so that clients can find them. These *are* documented in some MS
whitepaper that I don't have nearby at the moment. To round out the set,
you need Dynamic DNS and a DHCP server which uses it, although these may
not be strictly required. (You can get these last from ISC, though the
DDNS bits may still be somewhat experimental.)
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Make a good day.