[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: windows authentication & openldap: explanation.

On Fri, 26 Jul 2002, Christoph Neumann wrote:
> So, if you have to support WinME and Win9x clients, yes, you need Samba to
> provide the old-style of Windows authentication.  However, the question
> still stands:  Why can't one use OpenLDAP as a replacement for Active
> Directory using a modern authentication scheme such as Kerberos?  I would
> love to hear the answer to that question too.

Short answer:  because OpenLDAP doesn't provide all of the services that
ADS clients require.  Neither does any other LDAP server.  You need a big
wad of services (directory, authentication (Kerberos), dDNS, etc.) all
tangled together like spaghetti ("tightly integrated" in MS-speak) to
support an ADS client.

It looks possible to replace ADS with OpenLDAP + Kerberos + very recent
BIND + lots of private Microsoft schema definitions for which there is, so
far as I know, no description which is both public and machine-readable.
(And the human-readable spec. appears to be incorrect in some areas.)

> In addition to the authentication problem, there is the authorization
> problem.  Active Directory is used for authorization of such things as
> user and group policies.  Microsoft clients lookup authorization related
> fields in Active Directory when the user logs into the domain.  Some of
> these fields have an undocumented format (such as ntSecurityDescriptor).
> I believe the authorization piece of Active Directory makes Active
> Directory more difficult to replace then the authentication piece.

Huh?  SDs are well documented in the Platform SDK.  ADS' central mystery,
until recently, was the MS-defined PAC TDATA incorporated into principal
records in the authentication piece, to glue the NT security model onto
Kerberos.  The format is now published.  (_Utilizing the Windows 2000
Authorization Data in Kerberos Tickets for Access Control to Resources_)

It just takes a loooong time to wrap up all the little pieces and make
them play together nicely.  Someone will do it eventually.

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".