Windows with MIT krb5 and OpenLDAP

Brian Davidson bdavids1 at gmu.edu
Fri Apr 9 16:53:41 EDT 2004


On Apr 9, 2004, at 1:32 PM, Jeffrey Altman wrote:
>
> I do not know how you would use OpenLDAP in place of the Windows
> Active Directory.  I suggest you ask that question on an OpenLDAP
> mailing list.
>

As Jeffrey said,
MIT + standalone windows works if you map Kerb principal to user on the 
Windows box.
MIT + AD also works, if you set up cross-realm auth (AD trusts MIT, MIT 
doesn't trust AD works)

This last issue isn't doable at this point, because of the PAC issue.  
OpenLDAP isn't sufficient to replace AD.  AD is LDAP + Kerberos + CIFS 
tightly coupled to provide things in a slightly non-standard way.  The 
kerberos ticket's PAC field must be stuffed with some authorization 
information which is retrieved from LDAP.  I don't know the details on 
this because I didn't want to agree to the NDA Microsoft required to 
access documentation on the PAC.  I think they have gotten rid of the 
NDA at this point, but I'm not sure.

I suggest that you also check with the Samba group, as I think they've 
been working on solving this problem.  I'm pretty sure you'll have to 
run Kerberos and LDAP on the same box (whenever someone gets it 
working), and quite possibly Samba too.

Brian Davidson



More information about the Kerberos mailing list