[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Active Directory to OpenLDAP

To: Tobias Rice <rice@up.edu>, openldap <openldap-software@OpenLDAP.org>
Subject: Re: Active Directory to OpenLDAP
From: Dave Snoopy <kingsnoopy7@yahoo.com>
Date: Thu, 29 May 2003 16:57:54 -0700 (PDT)
In-reply-to: <3ED69C0F.6060500@up.edu>

I don't know anything about ad4unix, except what I
just read. It looks interesting.

Exactly what it is you're trying to accomplish in the
end?

--Dave

--- Tobias Rice <rice@up.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dave-
> 
>  >>Of course, obtaining the Windows passwords or
> password
>  >>hashes is not achievable using either of these
>  >>methods.
> 
> DOH!
> That's a real bummer. It's kind of hard to
> authenticate without a
> password, so I guess it can't work???
> I wonder if we could just use Kerberos/AD for
> everyone
> (Win32/bsd/sun/osx/etc...)
> Ever use ad4unix? (
> http://www.css-solutions.ca/ad4unix/index.html )
> Many, many thanks for your time!
> Tobias
> 
> Dave Snoopy wrote:
> 
>  >You can use the OpenLDAP "ldapsearch" tool to do a
> lot
>  >of the work. First, compile it with Kerberos. Use
>  >kinit to get yourself a ticket as someone in the
>  >Windows domain. Make sure that your krb5.conf file
> has
>  >these lines in the [libdefaults] section:
>  >
>  >  default_etypes = des-cbc-crc
>  >  default_etypes_des = des-cbc-crc
>  >
>  >Install Heimdal on your machine, and Cyrus SASL.
>  >Compile ldapsearch to be heimdal and SASL aware
> (this
>  >can sometimes be a pain, but it's doable). After
> doing
>  >a kinit, tell ldapsearch to bind to the Windows DC
>  >using SASL. It should automatically pick the
> GSSAPI
>  >(aka Kerberos) mechanism, and you'll be in. From
> there
>  >it's just a matter of doing the right queries
> against
>  >ADS, such as "(objectCategory=user)".
>  >
>  >For a simpler approach though, you might just want
> to
>  >create a Perl script on your PDC and run it as
> admin,
>  >which will dump all of your users and groups to a
>  >file. You could then write a corresponding Perl
> script
>  >to parse the file and turn it into an ldif file,
> which
>  >you could use to insert the users into your LDAP
>  >server.
>  >
>  >Of course, obtaining the Windows passwords or
> password
>  >hashes is not achievable using either of these
>  >methods.
>  >
>  >Good luck,
>  >Dave
>  >
>  >
>  >--- Tobias Rice <rice@up.edu> wrote:
>  >
>  >>-----BEGIN PGP SIGNED MESSAGE-----
>  >>Hash: SHA1
>  >>
>  >>In our quest for a unified login, we're pursuing
>  >>what we think is the
>  >>most compatible authentication method: LDAP. Our
>  >>biggest obstacle
>  >>thus far is getting the data from our Windows
> domain
>  >>(2k Active
>  >>Directory) to the OpenLDAP servers. Has anyone
>  >>successfully
>  >>accomplished this? Any advice or suggestions
> would
>  >>be greatly
>  >>appreciated.
>  >>
>  >>-----BEGIN PGP SIGNATURE-----
>  >>Version: PGP 8.0.2 - not licensed for commercial
>  >>use: www.pgp.com
>  >>
>  >>
> 
>
>iQA/AwUBPtaGv8NinOuDXR1bEQLnAACfdyJ+sYqvIkhMEFn9SQitAC5YsA0AoNBQ
>  >
>  >>jeal5dyvzGgh97i/FL9KXXhG
>  >>=U3ld
>  >>-----END PGP SIGNATURE-----
>  >>
>  >
>  >__________________________________
>  >Do you Yahoo!?
>  >Yahoo! Calendar - Free online calendar with sync
> to Outlook(TM).
>  >http://calendar.yahoo.com
>  >
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2 - not licensed for commercial
> use: www.pgp.com
> 
>
iQA/AwUBPtab/sNinOuDXR1bEQJugQCdH3YydICCRa6/NZIKMiusp/LFN5cAoJFE
> PJ6sweIy5PgGsL4CWPiajwJQ
> =txkP
> -----END PGP SIGNATURE-----
> 
> 


__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

Prev by Date: Re: How are Kerberos realms usually related to LDAP DCs?
Next by Date: RE: Dynamic Groups
Index(es):
- Chronological
- Thread