On Sat, 2007-09-22 at 18:17 +0100, Stuart Sears wrote:
> Vic wrote:
>
> > Now the thing to realise about AD - the real salient point - is that it's
> > a perversion of LDAP. It's *almost* LDAP, which is a nice, well-defined
> > standard. But it isn't LDAP. It's a Microsoft-only protocol Embraced and
> > Extended from LDAP, just ready for the Extinguish...
>
> Surely it's really only LDAP + Kerberos + custom LDAP schema?
> You can authenticate directly against AD as it stands using only pam_ldap and
> pam_krb5 - no samba requirement at all.
>
> Don't get me wrong, I am not a particular fan of AD, but exactly *what* have
> they done that makes it an "extended" version of LDAP?
Microsoft's LDAP implementation which a client accesses for joining a
domain uses a custom ldap schema, connectionless LDAP (RFC1485) but most
importantly uses a whole bucket of undocumented RPC calls.
Also, there is the famous PAC extensions added to their Kerberos
implementation:
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1014058,00.html
I used to think all this was more about Microsoft excluding
non-microsoft based technology whilst still being able to stamp
'interoperable' on the box. On reflection, I think it is true that
Microsoft's implementation was as much to do with finding a solution
that works well. Non-windows clients and servers can interoperate
perfectly well in a Windows environment.
It's really the centralised and simple unified management tools that
sell their products. I don't think any of the big Linux players have
really produced anything comparable in terms of out of the box
monkey-capable manageability.
Graham
