[Date Prev][Date Next]
Re: windows authentication & openldap: explanation.
The protocol windows uses to authenticate domain users is undocumented.
It uses LDAP and Kerberos, both relatively standard implementations,
but there is a lot more to the process of authenticating against the
Windows domain than just these parts. The Samba list would be a good
place to get info on this, I'd guess.
Windows can authenticate against standard LDAP server if you use a GINA
module, eg. http://pgina.cs.plu.edu/ and I think Novell has a GINA
product as well I think. GINA is something like Window's PAM I think. It
replaces at least part of the authentication subsystem.
Another angle is synchronization of the windows accounts and passwords
with that in the LDAP directory eg. Novell's Password Sync, and
iPlanet's NT Sync, and also Psynch http://psynch.com . Again the
windows password synchronization api is what makes these products possible.
Finally, the Windows domain controller could be replaced entirely.
That's what SAMBA does. Win2k native support is not completed yet, I'd
check the samba list before running on a production environment. WinNT
and Win2k mix mode should work fine.
brian jones wrote:
i've seen posts in the archives mentioning the inability of windows
clients (2000, nt) to authenticate domain logins against an openldap
directory, but i haven't been able to find any explanations of why.
can't windows clients use ldap for their authentication? i thought they
used ldap to authenticate against a dc running active directory, is that
incorrect? or is this just another case of non-standard
implementations? anyway, if someone could give me a clue or at least
point me in the right direction i'd really appreciate it. we're
probably going to use a samba server as a pdc and then have that check
passwords against an ldap server instead of a local password file, but
i'm really curious why windows and openldap don't work in this way.
thanks in advance,
Chat with friends online, try MSN Messenger: http://messenger.msn.com