[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Active directory and openldap

To: "'Corey Scholefield'" <coreys@uvic.ca>, "'Michel Lacle'" <mlacle@fit.edu>
Subject: RE: Active directory and openldap
From: "Howard Chu" <hyc@symas.com>
Date: Thu, 22 May 2003 16:20:19 -0700
Cc: <OpenLDAP-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <Pine.A41.4.55.0305221431040.78098@unix6.uvic.ca>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Corey Scholefield

> On Wed, 21 May 2003, Michel Lacle wrote:
>
> > Yes it is possible.
> >
> >   We are doing it at my university. Quite a complicated
> process though to
> > setup.
> >
> > Michel.
>
> Would you be able to offer any tips on how you proceeded to
> get it working, or
> perhaps on the overall architecture ?
>
> I was under the impression that one could establish a trust
> relationship beteen
> an Active Directory domain and a non-Microsoft Kerberos realm
> in order to establish
> connectivity like this....?

Yes, you can, but that doesn't gain you very much. All it lets you do is use
a foreign realm to verify a user's credentials (i.e., authentication), but it
doesn't allow you to retrieve the user's privileges (i.e., authorization)
from a foreign source. For that you need something else, like Samba.

> > On Tue, 20 May 2003, Fran[ISO-8859-1] çois Bourget wrote:
> >
> > > Hello,
> > >
> > > Just want to be able to use a Campus-wide Ldap server
> (openldap) with an AD
> > > locallay so that our users have the same password. They
> already have the
> > > same username all across Campus.
> > >
> > > Is it possible to use an Openldap server as a Master, and
> that server feeds
> > > an AD domain with usernames and password only in one
> direction. Don¹t need
> > > anything esle than username and password (for now)
> > >
> > > I looked aroud ans heard of lots of things... MS Services
> for Unix, MSS,
> > > Metadirectories... ???#$%
> > >
> > > The simplier the better, is it possible ??

Yes, it's feasible to set up an OpenLDAP master that uses slurpd to replicate
changes into AD. The one catch is that you must use cleartext passwords if
you want them to be replicated, and you must transform the UTF-8 userPassword
from OpenLDAP into the Unicode unicodePwd attribute during the replication.
Generally I use a bit of perl code to do this step. And of course, you must
use a protected connection (SASL/GSSAPI or TLS) to bind to AD as a privileged
user to make these changes.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Active directory and openldap
  - From: Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>
- RE: Active directory and openldap
  - From: Corey Scholefield <coreys@uvic.ca>

References:
- Re: Active directory and openldap
  - From: Corey Scholefield <coreys@uvic.ca>

Prev by Date: Re: Active directory and openldap
Next by Date: [no subject]
Index(es):
- Chronological
- Thread