[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Win2k Authorization



I just spent time figuring this out.

My authentication method involves binding anonymously and looking up the
user's DN by doing a search through all users for the entry containing the
attribute the user supplied for ID. In ADS, "userPrincipalName" fits the
bill here, though you could use any attribute that uniquely identifies the
user. So I get the user's DN, then use that DN to bind again along with the
PW. Success or failure of that bind is authentication.

By default, ADS is configured to NOT allow anonymous binding. You have to
change some security settings in ADS to get this to work. The following
works, but might be overkill:

Allow EVERYONE the following rights:

READ PERMISSION
LIST CONTENTS
READ PROPERTIES

over all items in the directory.

Hope this helps,

Scott


-----Original Message-----
From: Daniel Curry [mailto:dcurry@cgtime.com]
Sent: Friday, September 28, 2001 2:54 PM
To: Openldap-Software (E-mail)
Subject: Win2k Authorization


How can I get users on Linux workstations to authenticate against a
Win2k Active Directory?

Daniel Curry
Systems Administrator
CGtime, Inc. 
625 Second Street 
Suite 201
San Francisco, CA 94107 
ph: 415-348-6516
fx: 415-348-6505 
cell: 510-579-6680