[Date Prev][Date Next]
Re: windows authentication & openldap: explanation.
- Subject: Re: windows authentication & openldap: explanation.
- From: "Mark H. Wood" <mwood@IUPUI.Edu>
- Date: Thu, 8 Aug 2002 16:35:52 -0500 (EST)
- Cc: <openldap-software@OpenLDAP.org>
- In-reply-to: <Pine.LNX.firstname.lastname@example.org>
On Fri, 26 Jul 2002, Christoph Neumann wrote:
> So, if you have to support WinME and Win9x clients, yes, you need Samba to
> provide the old-style of Windows authentication. However, the question
> still stands: Why can't one use OpenLDAP as a replacement for Active
> Directory using a modern authentication scheme such as Kerberos? I would
> love to hear the answer to that question too.
Short answer: because OpenLDAP doesn't provide all of the services that
ADS clients require. Neither does any other LDAP server. You need a big
wad of services (directory, authentication (Kerberos), dDNS, etc.) all
tangled together like spaghetti ("tightly integrated" in MS-speak) to
support an ADS client.
It looks possible to replace ADS with OpenLDAP + Kerberos + very recent
BIND + lots of private Microsoft schema definitions for which there is, so
far as I know, no description which is both public and machine-readable.
(And the human-readable spec. appears to be incorrect in some areas.)
> In addition to the authentication problem, there is the authorization
> problem. Active Directory is used for authorization of such things as
> user and group policies. Microsoft clients lookup authorization related
> fields in Active Directory when the user logs into the domain. Some of
> these fields have an undocumented format (such as ntSecurityDescriptor).
> I believe the authorization piece of Active Directory makes Active
> Directory more difficult to replace then the authentication piece.
Huh? SDs are well documented in the Platform SDK. ADS' central mystery,
until recently, was the MS-defined PAC TDATA incorporated into principal
records in the authentication piece, to glue the NT security model onto
Kerberos. The format is now published. (_Utilizing the Windows 2000
Authorization Data in Kerberos Tickets for Access Control to Resources_)
It just takes a loooong time to wrap up all the little pieces and make
them play together nicely. Someone will do it eventually.
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".