On Mar 18, 2004, at 10:20 AM, Mulnick, Al wrote:
Dang.� If I'd only waited a minute longer before sending :)Brent Westmoreland
From: Brent Westmoreland [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 10:15 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Can Microsoft Active Directory be configured to a uthenticate to an external ldap server ??
There are actually a few ways (that I know of) to have windows clients participate on an "open source" network. And Al is correct that kerberos is actually more what enables this than ldap. It is in fact the kerberos layer that provides authentication. This practice is common at universities and the like where there is an equal mix of *nix and windows clients wanting to share users and SSO to "simplify" management.
One way to have windows clients participate is to modify your clients to speak directly to your MIT Krb5 instance this can be done by using the ksetup command as follows.
C:> Ksetup /setdomain REALM.DOMAIN.COM
C:> Ksetup /addkdc REALM.DOMAIN.COM kdc.realm.domain.com
you will, of course need a security principal on the krb5 instance for this to work properly and if you have more than 20 windows machines it really isn't worth the headache.
Another method is to setup a MIT kerberos/openldap implementation trusted by AD. In this instance you get the benefits of keeping all of your user security principals in one place (openldap/kerberos) and with a full blown AD instance you can still take advantage of computer based gpo's, a shared namespace (if setup properly), etc. By virtue of keeping your clients in openldap you allow SSO to both Windows, *nix, Mac OS X, etc. Unfortunately the setup requires a great deal of research and careful planning. The implementations are often error prone and complicated and if you don't have 45 computer science interns running around to maintain your AD, OpenLdap, Kerberos, Samba, etc. etc. etc. then it gets really messy really quick.
If you are really interested in this undertaking check out the following links:
Windows Stuff
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
OpenLdap and Krb5
http://www.bayour.com/LDAPv3-HOWTO.html
You will also need a good understanding of CYRUS Sasl and Pluggable Authentication Modules.
By far the MS recommended way to do this is to have an AD Install with SFU. I haven't had much time to play with the 3.5 release, however the previous version was both powerful and stable, and it can greatly reduce your administrative overhead to maintain a single directory.
http://www.microsoft.com/windows/sfu/default.asp
On Mar 18, 2004, at 8:29 AM, Roger Seielstad wrote:
BMW Group - Data Center Americas
Business: 864.989.6567
