[Date Prev][Date Next]
Re: OpenLDAP+kerboros -> win2k AD
[nico is not subscribed to openldap-software, forwarding]
On Wed, Aug 22, 2001 at 11:45:50AM -0400, Nicolas Williams wrote:
> AD is not just LDAP + Kerberos w/ that crappy MS PAC thing + GSS-TSIG
> DNS extension.
> There's a bunch of things which can only be done via proprietary MSRPC
> protocols, though MS has been moving towards making all of AD available
> and manageable via WMI providers.
> Replacing AD is a *very* tall order.
> The best approach to replacing the Kerberos component without getting
> into much legal trouble is to replace the LSA or part of it on windows
> systems. The replacement would provide the information that would
> otherwise be in the Kerberos ticket's PAC but it would obtain that data
> Good luck,
> On Thu, Aug 23, 2001 at 12:02:47AM +1000, Luke Howard wrote:
> > >Note that "interoperable" in this case is similar to saying that two
> > >railways built on different gauges are interoperable, in that since
> > >both come to the same station you can always unload the cargo from one
> > >train and load it onto the other one. The principal-mapping stuff
> > >apparently works, but it's pretty lame, and the case of building a
> > >recognizable ADS DC on something other than a Microsoft operating
> > >is conspicuous by its absence.
> > I would suggest that that's not going to happen for a while. It would
> > be nice to start chipping away at, though, by implementing some of
> > Microsoft's matching rules and LDAP extensions in OpenLDAP. Then
> > you might have some chance of replacing the _LDAP_ component of
> > Active Directory with an OpenLDAP server, providing that you didn't
> > care too much about integrating with NT's authorization model.
> > -- Luke
> > --
> > Luke Howard | lukehoward.com
> > PADL Software | www.padl.com
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
Luke Howard | lukehoward.com
PADL Software | www.padl.com