RE: [ActiveDir] replacing AD with openldap

[joe]

I believe they have WEBDAV open source client projects out there already... Probably be able to leverage something like that.

 

 joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, August 11, 2004 9:26 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] replacing AD with openldap

Given the objective OWA will likely not be the way to go as it expects Active Directory. Instead, consider rolling your own web interface using WebDAV.  If that proves too much effort, consider a meta-directory infrastructure with account and password synchronization to achieve your goal.  You'd still identify, authenticate and authorize via Active Directory, but using the other credentials passed from the OpenLDAP system.  I realize it doesn't meet your stated objective, but without knowing the rest of your objectives and why you are choosing this route, it's next to impossible to suggest anything and know whether it would be in the realm of possibility for you.

 

My highest recommendation would be to roll your own interface.  You can create whatever type of authentication mechanism you desire that way. Keep in mind there is no way to gain access to your mail store without providing credentials to Active Directory.  You need to follow the IAA process even if you authenticate to the OpenLDAP environment first and then trust or otherwise pass credentials.  That's because mailers that use LDAP directories don't have their own identity store.  Active Directory is the identity store for Exchange 200x and mail stores are defined and found via the attributes the user object contains.

 

What I'm getting at is that even if you roll your own web UI for access to the mailbox, you won't solve your other requirement of not putting usernames and passwords into Active Directory.  That leads to you now needing to program your own mailer and data store so that you won't need Active Directory at all.  This sounds like a solution that would meet your requirements that you've defined. 

 

But if you go that far, you may as well evaluate SuSE's OpenExchange server until it becomes GroupWise (or vice-versa.) http://www.suse.com/en/business/products/openexchange/slox_future.html 

 

Sure it's not free like the other solutions, but hey, neither is SAMBA right?  Must be an option IMHO. http://www.suse.com/en/business/products/openexchange/prices.html

 

Anyway, whatever you decide to do, I personally would like to be as helpful as possible. If there is any information or anything I can personally do to help, please don't hesitate to contact me either on or off-list. 

 

 

Good luck,

 

Al

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto
Sent: Tuesday, August 10, 2004 11:47 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] replacing AD with openldap

>I suppose the first question that comes to mind is, why?  Exchange OWA
>is going to require you to eventually identify and authenticate to Active
>Directory.  What's the use of doing it in openldap first?
I have openldap server populated with the user credentials...and I don't want to replicate this information to AD. Shortly, I don't want to store username + password in AD.

>As it stands, I have not heard of anyone being able to change OWA's
>authentication to a separate LDAP directory.  Exchange and Active
>Directory are married on too many levels.
Yes, I'm aware of this. That's why I posted this question. I can't find any information on the net. If it's not possible to direct the ldap queries to openldap, would it be possible to achieve my goals (to authenticate using openldap) by some other means ? using PAM or Samba maybe ?

Hope this is clearer. Btw, I don't intend to replace the mail server with openldap. I'm just concerned with the user authentication.

Thanks for the response,

lara

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Lara Adianto
Sent: Tuesday, August 10, 2004 5:39 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] replacing AD with openldap

Hi,

One of Outlook Web Access 2003's authentication method is basic
authentication which does an ldap query to Active Directory for the
username
& password.

Is it possible to configure it to query an external ldap server (such
as
Openldap) instead of to active directory ?

My objective is to make OWA to use LDAP
authentication. My LDAP server is openldap.

regards,
lara

------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com