[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: windows authentication & openldap: explanation.

To: brian jones <bj_rui@hotmail.com>
Subject: Re: windows authentication & openldap: explanation.
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Fri, 26 Jul 2002 16:27:07 -0400
Cc: openldap-software@OpenLDAP.org
References: <F30XvGoy8Vo9WanR0bB000011c9@hotmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a+) Gecko/20020713

The protocol windows uses to authenticate domain users is undocumented. It uses LDAP and Kerberos, both relatively standard implementations, but there is a lot more to the process of authenticating against the Windows domain than just these parts. The Samba list would be a good place to get info on this, I'd guess.

Windows can authenticate against standard LDAP server if you use a GINA module, eg. http://pgina.cs.plu.edu/ and I think Novell has a GINA product as well I think. GINA is something like Window's PAM I think. It replaces at least part of the authentication subsystem.

Another angle is synchronization of the windows accounts and passwords with that in the LDAP directory eg. Novell's Password Sync, and iPlanet's NT Sync, and also Psynch http://psynch.com . Again the windows password synchronization api is what makes these products possible.

Finally, the Windows domain controller could be replaced entirely. That's what SAMBA does. Win2k native support is not completed yet, I'd check the samba list before running on a production environment. WinNT and Win2k mix mode should work fine.

--Kervin

brian jones wrote:

i've seen posts in the archives mentioning the inability of windows clients (2000, nt) to authenticate domain logins against an openldap directory, but i haven't been able to find any explanations of why. can't windows clients use ldap for their authentication? i thought they used ldap to authenticate against a dc running active directory, is that incorrect? or is this just another case of non-standard implementations? anyway, if someone could give me a clue or at least point me in the right direction i'd really appreciate it. we're probably going to use a samba server as a pdc and then have that check passwords against an ldap server instead of a local password file, but i'm really curious why windows and openldap don't work in this way. thanks in advance, -brian
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

References:
- windows authentication & openldap: explanation.
  - From: "brian jones" <bj_rui@hotmail.com>

Prev by Date: RE: (fixed) Re: nss not resolving group id's
Next by Date: Re: windows authentication & openldap: explanation.
Index(es):
- Chronological
- Thread