[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Win2k domain authing against Linux OpenLDAP

Yes, but you're not really using NTLM authentication to authenticate
to the directory, or exporting the directory to Active Directory
clients; it's just a store for the SAM database. Not that there
is anything wrong with this, of course, but it would be useful for
SAMBA to at least support the same schema as AD for SAM information.

-- Luke

>From: Nicolas Williams <Nicolas.Williams@ubsw.com>
>Subject: Re: Win2k domain authing against Linux OpenLDAP
>To: David Mandala <David.Mandala@DevelopOnline.com>, "'lukeh@PADL.COM'"
>    <lukeh@PADL.COM>, rharris@raindance.com
>Cc: openldap-software@OpenLDAP.org
>Date: Sat, 1 Sep 2001 22:30:24 -0400
>Yeah, that can work, using NTLM instead of Kerberos for authentication.
>I wonder how AD deals with PKI authentication; specifically, how does
>the LSA obtain a client's profile if the client authenticates using PKI?
>No NDA/trade-secret info please.
>On Sat, Sep 01, 2001 at 02:31:14PM -0700, David Mandala wrote:
>> Might also look at the SAMBA project v2.2 which is in developoment right
>> now. We are attaching SAMBA to OpenLDAP and using SAMBA as a PDC and
>> W2K with that.
>> -----Original Message-----
>> From: Luke Howard [mailto:lukeh@PADL.COM]
>> Sent: Saturday, September 01, 2001 4:44 AM
>> To: rharris@raindance.com
>> Cc: openldap-software@OpenLDAP.org; nicolas.williams@ubsw.com
>> Subject: Re: Win2k domain authing against Linux OpenLDAP
>> >  I've about got my OpenLDAP server working for Solaris and Linux.  Part
>> >the company is using windows, most migrating to 2k soon.  Nothing I can
>> >about this so it is out of my hands.  
>> >
>> >  At any rate, we want those to authenticate against the OpenLDAP also.
>> The
>> >windows guy
>> >is saying he is finding alot of docs saying it can't be done.  He is
>> pushing
>> >for an ADS server authentication to be master for everything and throw
>> >LDAP out.  
>> You can't replace a native mode W2K domain controller with one running
>> OpenLDAP. It is possible in theory but a lot of work would need to be
>> done.
>> A good way to start would be to implement the Microsoft-specific LDAP
>> matching rules, extended operations, and controls, and to add CLDAP
>> support at least for reading the root DSE. Then I would try and import
>> the data from an Active Directory server, update the LDAP SRV record
>> for a domain to point to the OpenLDAP server, and see what blows
>> up.
>> Actual _authentication_ is another matter entirely, this would require
>> a Kerberos KDC with support for Microsoft's proprietary PAC.
>> -- Luke
>> --
>> Luke Howard | lukehoward.com
>> PADL Software | www.padl.com
>Visit our website at http://www.ubswarburg.com
>This message contains confidential information and is intended only 
>for the individual named.  If you are not the named addressee you 
>should not disseminate, distribute or copy this e-mail.  Please 
>notify the sender immediately by e-mail if you have received this 
>e-mail by mistake and delete this e-mail from your system.
>E-mail transmission cannot be guaranteed to be secure or error-free 
>as information could be intercepted, corrupted, lost, destroyed, 
>arrive late or incomplete, or contain viruses.  The sender therefore 
>does not accept liability for any errors or omissions in the contents 
>of this message which arise as a result of e-mail transmission.  If 
>verification is required please request a hard-copy version.  This 
>message is provided for informational purposes and should not be 
>construed as a solicitation or offer to buy or sell any securities or 
>related financial instruments.

Luke Howard | lukehoward.com
PADL Software | www.padl.com