Windows with MIT krb5 and OpenLDAP
Brian Davidson
bdavids1 at gmu.edu
Fri Apr 9 16:53:41 EDT 2004
On Apr 9, 2004, at 1:32 PM, Jeffrey Altman wrote:
>
> I do not know how you would use OpenLDAP in place of the Windows
> Active Directory. I suggest you ask that question on an OpenLDAP
> mailing list.
>
As Jeffrey said,
MIT + standalone windows works if you map Kerb principal to user on the
Windows box.
MIT + AD also works, if you set up cross-realm auth (AD trusts MIT, MIT
doesn't trust AD works)
This last issue isn't doable at this point, because of the PAC issue.
OpenLDAP isn't sufficient to replace AD. AD is LDAP + Kerberos + CIFS
tightly coupled to provide things in a slightly non-standard way. The
kerberos ticket's PAC field must be stuffed with some authorization
information which is retrieved from LDAP. I don't know the details on
this because I didn't want to agree to the NDA Microsoft required to
access documentation on the PAC. I think they have gotten rid of the
NDA at this point, but I'm not sure.
I suggest that you also check with the Samba group, as I think they've
been working on solving this problem. I'm pretty sure you'll have to
run Kerberos and LDAP on the same box (whenever someone gets it
working), and quite possibly Samba too.
Brian Davidson
More information about the Kerberos
mailing list