1) Built in. Also there is AD/AM as a free download which is a LDAP Standalone server product but doesn't do domain controller stuff. It is nice because you can use AD security principals to access the LDAP data in AD/AM App Directories without the worry of syncing IDs/Passwords.
2) When you mean the source, do you mean the source to replicate from or do you mean the single sign on point? If the latter, AD doesn't use LDAP for auth, it uses Kerberos. LDAP isn't really an auth mechanism, but Kerberos is, LDAP just tends to get hijacked into that position because it is sometimes easy to do (though often insecure). If you have another Kerberos realm you can have AD trust it and then use the IDs from that realm against Windows resources. However MS really worked out Kerberos to make it as transparent as possible to users and I would way prefer to use Windows for Kerberos then any other OS. There are a couple of companies working on making it easier to integrate Linux/BSD into Windows domains so you can use all of the Windows management tools to manage the *nix/*bsd machines as well as use single-secure (i.e. not crappy LDAP PAM hacks) for auth of *nix/*bsd clients. One company is called Vintela. Not sure if I can publicly mention the other one yet though if anyone wants to talk to the second, let me know and I will put them in touch with someone. If you mean the former, i.e. the source to replicate from, sounds like your sysadmin may be busy writing some more code as I doubt you will want to spend the money on third party (or MS) sync software as you don't really seem to want the MS Solution. This was done in a company that was a former customer of mine, they had worked out a large provisioning system that believe it or not drove the Windows provisioning from a mainframe. I won't say my personal feelings on it but they jumped through a lot of hoops they could have avoided. Finally if you don't have single signon, you should probably be looking at it. Having a bunch of diseparate systems that don't really talk to each other isn't very user friendly and depending on how the sync software works, could be pretty insecure. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 7:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD & OpenLDAP Greetings. I have just joined this list and I know next to nothing about Active Directory. We support most of our services with Linux whenever possible and still have an NT4 Domain Controller which will soon be replaced by a Linux box running Samba. The NT PDC is NOT the authoritative source for our user account info, however. That is sync'd with another server via some custom code that was written by one of our sysadmins. My chief responsibility is Computer Lab/Classroom support, and I have been stuck using gpedit at the local level, not having had a Win2000 or 2003 server to play with, let alone AD. That is changing. We have just purchased a Windows 2003 server to meet another need, and I have a couple of questions which I hope are not out of line for this list: 1) Does Active Directory come with Server 2003, or is it some sort of "add-on" which must be purchased separately. (Microsoft's web site seems, in at least one location, to indicate that it comes with it, but I just want to be sure.) 2) We have a relatively new OpenLDAP server (also running on Linux) which also mirrors our account base. Given that we do NOT want the Windows 2003 server to be "the" source for our user accounts, is it possible to tell it to synchronize with an OpenLDAP server? Is such a task "trivial," "complicated," or "impossible?" I thank you in advance for your time, ...ROMeyn -- signat-url: http://www2.potsdam.edu/prescor/signat-url.htm List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
