Re: A possible way to have NT authentic against LDAP (RFI)

[Iain Rae <iainr@civ.hw.ac.uk>]

Luke Howard wrote:
> 
> >The API states that this function will be called by the system, from our
> >DLL, with the user's name and password.  We can *conceptually* have this
> >function run an ldap query to update a foreign ldap server.  I'm
> >planning to implement this on windows 2k but the ASDI SDK (windoze's
> >ldap SDK) can be installed on win95 or NT4 (I believe).
> 
> The password notify API is present as far back as NT 3.51 I believe,
> not on Win95 though. Note that it runs in kernel space, so you'll need
> something else to make the actual LDAP op.
> 
> This still doesn't address how you authenticate the user. The correct
> way to do this is to replace the Local Security Authority (LSA) DLL
> which is non-trivial. Another way is to write a GINA DLL; this is
> the approach NISGINA took, but only applies to interactive logons
> and still requires a local account to exist. I would question whether
> it's worth the effort when LDAP isn't really an authentication
> service.
> 

We used NISGINA for some time but have switched to running samba fairly
successfully, based on our admittedly limited experience I'm inclined to
avoid tinkering with gina dll's on the workstation, we had problems with
PC-Anywhere and laplink and one occation where a service pack upgrade
and changing a virus scanner killed nisgina. I'd love for someone to
port pam to NT and have it picked up as the de'facto authentication
system but that's only going to happen with M$'s blessing and I suspect
that the NIH department will win that arguement. 
My 2c worth is to use LDAP as a backend to samba and store the smbpasswd
info in it.



-- 
Iain Rae
Computing Officer
Dept. Civil & Offshore Engineering
Heriot-Watt University