Re: OpenLDAP+Active Directory
Aiko Barz wrote:
On Tue, Jan 22, 2008 at 01:14:47AM -0800, Howard Chu wrote:
> Aiko Barz wrote:
>> Hello,
>>
>> is it possible to create an Active Directory forest with multible
>> subdomains and make those informations available for one Linux
>> machine?
>> Right now, we have one domain and it is possible to do authentication
>> against the Active Directory, while using OpenLDAP, PAM and Kerberos.
> There's nothing in OpenLDAP that would prevent this. This is a question
> more suited to either the pam_ldap or nss_ldap mailing lists. The only
> problem is you might have cn=userA representing two different users in
> both domains at once, and you'll have to have some kind of policy for
> dealing with those situations.
Hello,
I was testing a subdomain configuration and I wondered: What happened
to the -C switch? And will there be support for following referrals
with credentials?
Doing so is a security vulnerability, so that support was dropped from all of
the bundled tools quite a long time ago. Referrals in general are a stupid,
poorly designed, insecure feature of LDAP which is why OpenLDAP provides so
many secure alternatives to them (chaining, glued back-ldap, etc.).
Server topology information belongs solidly in the server, and should never be
explicitly exposed to clients. Clients have no way to know which servers can
be trusted (beyond, presumably, the initial one they contacted), nor when a
referral might cross an administrative boundary (and thus require a different
set of credentials). This is all knowledge that a server administrator already
has, and it should only ever be dealt with on the server side.
The fact that ActiveDirectory is entirely glued together with referrals is
just one of many flaws in its design.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/