[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Interoperability with MS Software

Hash: SHA1

From: Jeremy Ardley <jeremy@electrosilk.net>

> Yes it does integrate.  We use VJ++ with Microsoft ADSI and LDAP enabled
> ADO to talk to openldap servers.  These components are not naturally
> thread-safe so multi-threaded applications need special precautions.
> There is a microsoft LDAP C API that works better than ADO and ADSI but
> is slightly more difficult to use.  It is threadsafe.
> Microsoft ASP and scripting languages can talk to opeldap with no
> problems.
> C# natively connects to openldap and is very fast.

...but On Tue, 9 Sep 2003, Francois Beretti wrote:
> I am pretty sure that most of the MS software will not directly interoperate
> at all with openldap. At least you will have to implement the A.D. schema in
> OpenLDAP
> Then A.D. control access management is very different from OpenLDAP's, and I
> think you will have some headaches

The difference is, of course, what you mean by "integrate".  Windows 2000
and up have LDAP libraries and a variety of APIs to take advantage of
them.  But OpenLDAP right out of the box is not what Windows expects of an
ADS Domain Controller, if *that* is what you mean.

For the latter you'll need to load a compatible version of the ADS schema
extensions, implement Kerberos V, add certain SRV records to your DNS
zones, and populate your Kerberos and directory services with a few
objects which ADS hosts expect.  Those Kerberos principals must also have
certain attributes in addition to those supplied by the native Kerberos
tools, to glue them to the NT security model.  It sounds like great fun --
I wish I had the time to do one.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/