[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP+kerboros -> win2k AD

[nico is not subscribed to openldap-software, forwarding]

On Wed, Aug 22, 2001 at 11:45:50AM -0400, Nicolas Williams wrote:
> AD is not just LDAP + Kerberos w/ that crappy MS PAC thing + GSS-TSIG
> DNS extension.
> There's a bunch of things which can only be done via proprietary MSRPC
> protocols, though MS has been moving towards making all of AD available
> and manageable via WMI providers.
> Replacing AD is a *very* tall order.
> The best approach to replacing the Kerberos component without getting
> into much legal trouble is to replace the LSA or part of it on windows
> systems. The replacement would provide the information that would
> otherwise be in the Kerberos ticket's PAC but it would obtain that data
> differently.
> Good luck,
> Nico
> On Thu, Aug 23, 2001 at 12:02:47AM +1000, Luke Howard wrote:
> > 
> > >Note that "interoperable" in this case is similar to saying that two
> > >railways built on different gauges are interoperable, in that since
> > >both come to the same station you can always unload the cargo from one
> > >train and load it onto the other one.  The principal-mapping stuff
> > >apparently works, but it's pretty lame, and the case of building a
> > >recognizable ADS DC on something other than a Microsoft operating
> > >is conspicuous by its absence.
> > 
> > I would suggest that that's not going to happen for a while. It would
> > be nice to start chipping away at, though, by implementing some of
> > Microsoft's matching rules and LDAP extensions in OpenLDAP. Then 
> > you might have some chance of replacing the _LDAP_ component of
> > Active Directory with an OpenLDAP server, providing that you didn't
> > care too much about integrating with NT's authorization model.
> > 
> > -- Luke
> > --
> > Luke Howard | lukehoward.com
> > PADL Software | www.padl.com
> --
> .

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Luke Howard | lukehoward.com
PADL Software | www.padl.com