The problem comes when a user needs to access something using NTLMv2. Two ways around that -- Either sync passwords from the MIT kerberos realm (using something like DirXML - but thats a pain because the password must be changed once before it can be synced), or don't do password syncing and come up with another way for users to change their windows passwords (usually through a web page that authenticates off the MIT realm, then lets the user set/reset their password).
Oh and I didn't say it in the last email, but to configure the kerberos name mapping, it is done in Users & Computers after turning on the Advanced view. Right click on the user account and there should be a Name Mappings selection.
Robbie Foust, IT Analyst Systems and Core Services Duke University
Roger Seielstad wrote:
Cool... Didn't know about that one.
(adds that to the list of stuff to try later)
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-----Original Message-----
From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
You actually don't configure AD, what you need to do is run ksetup.exe on the workstations (must be 2000 or XP) and add the kerberos realm & kerberos servers. (ksetup is part of the support tools). For example:
C:\> ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com
and then when the user logs in, they must select that realm from the drop down list.
Also, the user account in AD needs to have the kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like "[EMAIL PROTECTED]".
So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at all. :-)
Robbie Foust, IT Analyst Systems and Core Services Duke University
Lara Adianto wrote:
Hi guys,
As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server
(openLDAP in my
case) ?
To make things clearer, this is the objective that I want
to achieve:
I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of
Microsoft Active
Directory authenticates itself to MS AD, MS AD will ask
openLDAP for
authentication service. openLDAP will return return reject
or allow to
MS AD.
I believe that this can be achieved by using Kerberos. I
currently have
GSSAPI mechanism running on my openLDAP server, but I am
not sure how to
make MS AD talk to my openLDAP server.
Any idea, suggestions, hints will be very appreciated....
Cheers - Lara -
--------------------------------------------------------------
----------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant -
-------------------------------------------------------------- ----------------------
Do you Yahoo!?
*Yahoo! Mail*
<http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com>
- More reliable, more storage, less spam
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
