The traffic you were seeing was almost certainly just
looking up mail attributes. Did you see an actual bind packet? Did you see the
authentication method? If you were using a simple LDAP auth you should see a
password in the LDAP packet, plus ethereal is pretty good at pulling out and
displaying simple binds and the userid/password sent. Most likely what happened
when you disabled integrated is that the Exchange server shot the auth req
through its secure channel to the proper DC or used kerberos. The LDAP traffic
again was just asking for attribs and probably wasn't even using the user's
security context.
That article you pointed at is the basic 5.5 design for
E2K/K3, setting up a separate Exchange Forest. This has been discussed here
on the list a couple of times. You slap Exchange in one forest, set up a
one way trust to the other NT or AD domain (Exchange trusts the
account domain) and then go from there. The Exchange forest will have disabled
accounts for all users and the MS Exchange SID will point back to the foreign
domain. You will need to keep this synced all of the time.
While possible, you may find this to be fun to
administer and last time I looked there was no automated way for setting up BDCs
in SAMBA which means you are very reliant on a single machine OR you are doing a
lot of manual/scripted replication. Additionally you are now going to be
slamming clear text passwords across your network for this unless you do
something to further protect the HTTP streams like SSL.
Trying to implement Exchange with a *nix authentication
backend is going to be extremely troublesome in my opinion. You have to have a
full Windows Forest implementation already to run Exchange, you might as well
just use that same forest for authentication. I think you would be better off
spinning this all around and making Active Directory your authentication system
and use kerberos on your *nix machines if you need that interaction.
I am admittedly predjusticed about this but the *nix
solutions so far aren't anywhere near the Windows Domain system in ease of use
and functionality. The integration of authentication and authorization and how
relatively simple it is to configure is way ahead.
If you are gung ho to use a *nix authentication source, my
first recommendation would be to get away from Exchange.
joe
>Lara, where do you get that OWA is doing an LDAP query for auth? OWA
nor
>anything in the Windows world should be using LDAP auth, it should
always be
>using kerberos and if that isn't working fall through to NTLM.
I disabled the Integrated Windows Authentication for Exchange
directory...and enabled only Basic authentication. Then, I captured the
packet with ethereal and saw that it queried AD with filter
cn=lara,cn=users,cn=configuration, dc=adianto,dc=com or some sort of that (I
forgot the exact query). There are a lot of ldap queries being captured...not
only that one actually....seems very complicated...
I don't really understand how Basic authentication and NTLM
work...
>Also as usual, Al is right on in terms of the integration
between
>AD/Exchange. To even have an Exchange Mailbox you will need an AD
user
>object and you aren't going to force AD to use OpenLDAP to
authenticate that
>user.
Oh well...then will i have greater chance with SAMBA ?
which gave me an idea to authenticate OWA to samba PDC which will in turn
use PAM_LDAP to talk to openldap. But well, it seems very tedious, and no
guarantee that it will work. I mean, even if the OWA authentication works, will
there be anything that prevent me to get the sendmail/pop3/imap or mailbox
whatsoever to work ?
I suppose it's not possible to make OWA to talk to pam_ldap directly
?
I'm very new to all these...and not aware with the stumbling blocks that
might prevent me to achieve my objective above...
Perhaps the experts out there can give me some hints or tips ?
thanks again,
=lara=
Lara Adianto <[EMAIL PROTECTED]> wrote:
>I suppose the first question that comes to mind is, why? Exchange
OWA
>is going to require you to eventually identify and authenticate to
Active
>Directory. What's the use of doing it in openldap
first?
I have openldap server populated with the user credentials...and I
don't want to replicate this information to AD. Shortly, I don't want to store
username + password in AD.
>As it stands, I have not heard of
anyone being able to change OWA's
>authentication to a separate LDAP
directory. Exchange and Active
>Directory are married on too many
levels.
Yes, I'm aware of this. That's why I posted this question. I can't
find any information on the net. If it's not possible to direct the
ldap queries to openldap, would it be possible to achieve my goals (to
authenticate using openldap) by some other means ? using PAM or Samba
maybe ?
Hope this is clearer. Btw, I don't intend to replace the mail server with
openldap. I'm just concerned with the user authentication.
Thanks for the response,
lara
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Lara
Adianto
Sent: Tuesday, August 10, 2004 5:39 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
replacing AD with openldap
Hi,
One of Outlook Web Access 2003's
authentication method is basic
authentication which does an ldap query to
Active Directory for the
username
& password.
Is it possible
to configure it to query an external ldap server (such
as
Openldap)
instead of to active directory ?
My objective is to make OWA to use
LDAP
authentication. My LDAP server is
openldap.
regards,
lara
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
-
Guy de Maupassant
-
------------------------------------------------------------------------------------
__________________________________________________
Do You
Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
-
Guy de Maupassant
-
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired
of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
