[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Win2k domain authing against Linux OpenLDAP



On Fri, 31 Aug 2001, Robert Harris wrote:
>   I've about got my OpenLDAP server working for Solaris and Linux.  Part of
> the company is using windows, most migrating to 2k soon.  Nothing I can do
> about this so it is out of my hands.
>
>   At any rate, we want those to authenticate against the OpenLDAP also.  The
> windows guy
> is saying he is finding alot of docs saying it can't be done.  He is pushing
> for an ADS server authentication to be master for everything and throw the
> LDAP out.

FAQ time.

>   Is he wrong, mis-informed or just blowing smoke or what?  Any suggestions?

Strictly speaking, he is correct.  ADS clients are not interested in
talking to directory servers for authentication.  They want a Kerberos V
server for that.  But that's just the trivial answer.

More broadly, it certainly is technically possible to authenticate ADS
clients against an LDAP/Kerberos combo.  What seems impossible is doing it
legally.  Microsoft is sitting on the documentation for the proprietary
tdata that they defined to glue Kerberos to the NT security model.  The
only documentation I'm aware of requires you to agree that you have not
received the right to implement it, before you can unwrap it.  (Naturally
when I saw that I refused and discarded the package without unwrapping
it.)

So if you want a solution today, you probably have to go ADS.  So much for
Microsoft's support of open standards.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Make a good day.