[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP in heterogenous environment

To: <tonni@billy.demon.nl>, <openldap-software@OpenLDAP.org>
Subject: RE: LDAP in heterogenous environment
From: "Jonathan Higgins" <jhiggins@kennesaw.edu>
Date: Tue, 22 Apr 2003 13:36:10 -0400
Content-disposition: inline

I currently use the setup described by Turbo Fredriksson at his site http://www.bayour.com/LDAPv3-HOWTO.html
Granted I don't run the most current version of Openldap, but this seems to work fine with openldap+MIT kerberos.. there were a few bumps in the road to the initial installation.

For the active directory integration.. I filtered a slapcat from openldap and modified a few fields to make it compatible with active directory ldif format and then used ldifde to import the entire tree into active directory, with the addition of "altSecurityIdentities" attribute.
This attribute is used to identify the mit kerberos realm principal that AD can trust to authenticate a user.

Check out Cornell's site.. http://www.cit.cornell.edu/computer/system/win2000/kerberos/
and Umich.edu
http://www.umich.edu/~lannos/win2000/w2k-ad.html
on AD+MIT Kerberos integration.

For Unix platforms .. Padl .. http://www.padl.com/

Any HPuX boxes, you will need to do a bit more I think.. they have some weird user permissions structure the last I checked.. and Solaris 9 is a bit funky also.. use the ldapclient tool that they provide, but don't expect tls support to work properly without a trusted CA.

This biggest problem I had was not building these systems, but dealing with my heterogenous environment to collect the data on all existing users...but that's a discussion for another Listserv..






Jonathan Higgins
Network Service Specialist IV
Kennesaw State University
jhiggins@kennesaw.edu

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

>>> Tony Earnshaw <tonni@billy.demon.nl> 04/21/03 02:25PM >>>
man, 21.04.2003 kl. 17.37 skrev Quanah Gibson-Mount:

> I've never seen Howard or Kurt advocate the use of MIT Kerberos.  We use 
> Kerberos on a daily basis here, and my tests have repeatedly shown that 
> only Heimdal's implementation is stable in a threaded environment when 
> combined with OpenLDAP.

Then I shall regard you as the oracle, from now on :-)

Best,

Tony

-- 

Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl 
www:		http://www.billy.demon.nl

Prev by Date: Re: ldap in heterogenous environment
Next by Date: BDB backup and security
Index(es):
- Chronological
- Thread