[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Windows2000 user verification

To: "Eivind Bengtsson" <eivind@bengtsson.dk>, <openldap-software@OpenLDAP.org>
Subject: Re: Windows2000 user verification
From: "Ed Truitt" <etruitt@alltel.net>
Date: Thu, 15 Jun 2000 06:17:29 -0500

To answer your first question:

>From my understanding of Active Directory and Windows 2000's design, neither
openLDAP (nor any other LDAP server that is *NOT* Active Directory) will
work to authenticate users to Active Directory, although (with some work)
Active Directory can authenticate users to other systems that use an LDAP
directory as their userid database.  There are several reasons for this, the
primary one being that MS keeps the account's SID (Security ID) as an
attribute, and this is NOT made available  to store into other directory
services.  BTW, this is the same reason that while the Windows 2000 KDC can
serve Kerberos tickets to other consumers, Windows 2000 can not use tickets
served by other KDCs.

Another problem is that in order to login to a Windows 2000 forest, you must
have a Global Catalog available - something that non-AD directory services
don't provide.

Also, beware - I just found out at a Burton Group briefing yesterday that
Active Directory does not implement the inetOrgPerson object class - so even
using AD with some directory-enabled apps (those that expect inetOrgPerson
to be the base object class) may be iffy.  Needless to say, now I am going
to have to reconcile the schemas, and see what the differences really are.

Since it does not appear to be possible to do what you want, the other
questions, unfortunately, are a moot point at this time.  Sorry 'bout that.

My proposal for new Microsoft commercial:

MS:  "Where Do You Want To Go Today?"
us:  "Well, I think I would like..."
MS:  "IT DOESN"T MATTER where you want to go today!!"

Do you think they'll go for it? :-)

Cheers,
Ed Truitt, ICQ # 17313062
http://www.alltel.net/~etruitt
"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
-----Original Message-----
From: Eivind Bengtsson <eivind@bengtsson.dk>
To: openldap-software@OpenLDAP.org <openldap-software@OpenLDAP.org>
Date: Wednesday, June 14, 2000 3:04 AM
Subject: Windows2000 user verification


>Hi there ...
>
>I have a list of questions concerning the possibilities for running
>OpenLDAP as an Active Directory server (primarely user verification) for
>a Windows2000 server.
>
>1) Is it possible ?
>
>2) Does it have any demands to your arcitecture og your
>schema-structure?
> - yes i bet it has - but what are they ?
>
>3) How will Windows2000 trust my OpenLDAP server?
>
>4) Does OpenLDAP apply to the query-syntaks of Windows2000? What do I
>need to make it work ?
>
>I would appriciate any help or pointers to help on these questions, as I
>need to know for scure that OpenLDAP will be able to fulfill this quest.
>If not I will have to implement a Windows2000 Active Directory Server -
>which I'd rather avoid :)
>
>I've tried to seek answers at the MSDN..but they only tell you how to
>connect to an AD - and not how i actually works..
>
>Thanks in advance
>/Eivind
>

Prev by Date: newbie question
Next by Date: Netscape Roaming
Index(es):
- Chronological
- Thread