[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Experiences with "Single Sign On" and LDAP?



mixing environments is the big challenge.

Turbo, I started working from your howto about 5 months ago.  We are about to go live here at my university with the system I built which started with your documentation.

To integrate with an Active Directory, no documented howto is yet available.
So how do you do it?.. 
1. dump your LDAP tree to ldif format
2. massage the data so that Active Directory can use it
3. batch update your Active Directory tree.

several sites and projects have more detail than this. But the initial integration all boils down to these 3 steps.
here are a few sites:
http://web.mit.edu/pismere/project_status.html
http://www.umich.edu/~lannos/win2000/w2k-ad.html

"massage" --- this means use a translation matrix.. to convert the attributes in OpenLDAP to the attributes used in Active Directory
here.. is a matrix of the schema translation
http://www.umich.edu/~lannos/win2000/AttributeMappingSummary.html

Other issues to consider.. AD-Kerberos5:
Lots of issues here.  Microsoft decided to change the data in the Auth section of a Kerberos ticket to include SID, RID and other NT Domain backward compatibility junk.. so they could use Kerb to auth NT users.  This of course broke the ability for MIT-Kerberos5 users to authenticate against a AD-Kerberos KDC ... a long story short.. MIT folks got fairly ticked off at Microsoft and worked together with them to come up with a solution... 
http://www.usenix.org/events/lisa-nt2000/hill/hill_html/

My current implementation of LDAP+Kerberos does not include AD.. yet.
When I get it done.. I can provide more information.

Jonathan Higgins
Network Service Specialist IV
Kennesaw State University
jhiggins@kennesaw.edu

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

>>> Turbo Fredriksson <turbo@bayour.com> 02/20/03 02:18PM >>>
>>>>> "Jan-Hendrik" == Jan-Hendrik Palic <jhp@addix.net> writes:

    Jan-Hendrik> Hoi ....
    Jan-Hendrik> On Thu, Feb 20, 2003 at 02:01:53PM +0100, Dieter Kluenter wrote:
    >>> I thought about a solutions with LDAP and Kerberos5. The
    >>> clients are mixed Linux RedHat/Debian and Windows 2k/XP.
    >>> 
    >>> Has anyone any experiences with it? Is it possible? Where do I
    >>> get into trouble maybe?
    >>  Yes, it is possible, either with ActiveDirectory or with
    >> OpenLDAP and MIT KRB5 an I have realised it in my small local
    >> network.

    Jan-Hendrik> With all services or do you have some exceptions?  Is
    Jan-Hendrik> it possible to combine the Domainauthentifications
    Jan-Hendrik> from Windows with LDAP/Krb5?

    Jan-Hendrik> Do you have a how to for that? I googled around the
    Jan-Hendrik> world, but perhaps you can point me to one you found.

http://www.bayour.com/LDAPv3-HOWTO.html