Re: A possible way to have NT authentic against LDAP (RFI)

[Kervin Pierre <kpierre@fit.edu>]

> This still doesn't address how you authenticate the user. The correct

I'm sorry, I should have mentioned that my goal is password
synchronization not authentication.

(I) I gave up on unix<->windows authentication.  NISGINA would need to
be installed on every windows machine (at least 500+, plus a ton of
complications), plus how is its security? Cleartext?

(II) I'm also trying not to have the entire windoze network be dependent
on the UNIX ldap servers being up and vice-versa (win2k having a
built-in ldap server of its own further complicates things).

(III) ldap seems to be the way to go (it seems).  It's supported
natively (ie. nsswitch.conf) in Solaris8 and IRIX 6.5.?, and built into
win2k 

I originally thought of wrapping the 'passwd' command on the UNIX side
because a user password change would have to update two ldap databases,
the windows (win2k) and the unix.  Does ldap_pam allow updating 2
different ldap servers?  if so, great.  

With a passwordnotify DLL on the PDC,  LSA changes the windoze password
(as usual) then notifies us that the password has changed.  We then take
the opportunity to change the user password on the UNIX ldap server.

The biggest advantage of this scheme is that only the PDC needs to be
altered (and that's to add one DLL) and the UNIX and windoze ldap
servers can keep their schemas as they please.

thanks to all who've replied.  Again if anyone has any insight on this
please let me know,
Kervin