[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Win2k domain authing against Linux OpenLDAP

To: rharris@raindance.com
Subject: Re: Win2k domain authing against Linux OpenLDAP
From: Luke Howard <lukeh@PADL.COM>
Date: Sat, 1 Sep 2001 21:43:32 +1000
Cc: openldap-software@OpenLDAP.org, nicolas.williams@ubsw.com
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.2g/makemail 2.9a

>  I've about got my OpenLDAP server working for Solaris and Linux.  Part of
>the company is using windows, most migrating to 2k soon.  Nothing I can do
>about this so it is out of my hands.  
>
>  At any rate, we want those to authenticate against the OpenLDAP also.  The
>windows guy
>is saying he is finding alot of docs saying it can't be done.  He is pushing
>for an ADS server authentication to be master for everything and throw the
>LDAP out.  

You can't replace a native mode W2K domain controller with one running
OpenLDAP. It is possible in theory but a lot of work would need to be
done.

A good way to start would be to implement the Microsoft-specific LDAP
matching rules, extended operations, and controls, and to add CLDAP
support at least for reading the root DSE. Then I would try and import
the data from an Active Directory server, update the LDAP SRV record
for a domain to point to the OpenLDAP server, and see what blows
up.

Actual _authentication_ is another matter entirely, this would require
a Kerberos KDC with support for Microsoft's proprietary PAC.

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

Prev by Date: RE: Open LDAP on Windows 2000
Next by Date: Re: Quick newbee question for an LDAP vet
Index(es):
- Chronological
- Thread