Universities wouldn't want to use a realm trust scenario vs. this? Does this offer other advantages?
-----Original Message----- From: Robbie Foust [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 10:09 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to a uthenticate to an external ldap server ?? Most universities have to do it this way since they already have kerberos realms in place and aren't willing to migrate everything to AD. The problem comes when a user needs to access something using NTLMv2. Two ways around that -- Either sync passwords from the MIT kerberos realm (using something like DirXML - but thats a pain because the password must be changed once before it can be synced), or don't do password syncing and come up with another way for users to change their windows passwords (usually through a web page that authenticates off the MIT realm, then lets the user set/reset their password). Oh and I didn't say it in the last email, but to configure the kerberos name mapping, it is done in Users & Computers after turning on the Advanced view. Right click on the user account and there should be a Name Mappings selection. Robbie Foust, IT Analyst Systems and Core Services Duke University Roger Seielstad wrote: > Cool... Didn't know about that one. > > (adds that to the list of stuff to try later) > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > >>-----Original Message----- >>From: Robbie Foust [mailto:[EMAIL PROTECTED] >>Sent: Thursday, March 18, 2004 9:49 AM >>To: [EMAIL PROTECTED] >>Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured >>to authenticate to an external ldap server ?? >> >> >>You actually don't configure AD, what you need to do is run ksetup.exe >>on the workstations (must be 2000 or XP) and add the kerberos realm & >>kerberos servers. (ksetup is part of the support tools). For example: >> >>C:\> ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com >> >>and then when the user logs in, they must select that realm from the >>drop down list. >> >>Also, the user account in AD needs to have the kerberos name mapping >>added so AD will know how to match up the accounts. The name mapping >>would be something like "[EMAIL PROTECTED]". >> >>So basically, the password stored in AD is ignored. Let me know if >>this helps, or if this isn't what you're trying to do at all. :-) >> >>Robbie Foust, IT Analyst >>Systems and Core Services >>Duke University >> >> >> >> >>Lara Adianto wrote: >> >>>Hi guys, >>> >>>As what the subject title said: can Microsoft Active Directory be >>>configured to authenticate to an external ldap server >> >>(openLDAP in my >> >>>case) ? >>> >>>To make things clearer, this is the objective that I want >> >>to achieve: >> >>>I want authentication of Microsoft Active Directory's clients to be >>>done by OpenLDAP server on Linux. So, when a client of >> >>Microsoft Active >> >>>Directory authenticates itself to MS AD, MS AD will ask >> >>openLDAP for >> >>>authentication service. openLDAP will return return reject >> >>or allow to >> >>>MS AD. >>> >>>I believe that this can be achieved by using Kerberos. I >> >>currently have >> >>>GSSAPI mechanism running on my openLDAP server, but I am >> >>not sure how to >> >>>make MS AD talk to my openLDAP server. >>> >>>Any idea, suggestions, hints will be very appreciated.... >>> >>>Cheers >>>- Lara - >>> >>> >>> >>> >> >>-------------------------------------------------------------- >>---------------------- >> >>>La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit >>>- Guy de Maupassant - >>> >> >>-------------------------------------------------------------- >>---------------------- >> >>>Do you Yahoo!? >>>*Yahoo! Mail* >> >><http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com> >> >>>- More reliable, more storage, less spam >>> >> >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: >>http://www.mail-archive.com/activedir%40mail.activedir.org/ >> > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
