Ask the Expert

How can we have users in the ADS, but keep them in the LDAP only?

We have already decentralized UNIX authentication based on LDAP Servers. We want to extend this functionality by integrating Windows 2000 authentication on the LDAP Servers too. I've heard it's possible to "replicate" LDAP data into ADS, but I'd like to know if it's possible to keep the authentication out of the Win2000, just like we do in the UNIX world. In summary, we want not to have users in the ADS, but keep them in the LDAP only.

    Requires Free Membership to View

The ease of this interoperation depends on whether you are authenticating users with LDAP or with Kerberos. You won't be able to authenticate the Windows 2000 desktop simply with LDAP. You can look for ways to keep the local desktop password in sync with the LDAP password, but then you have a fleet of standalone machines rather than a unified management domain.

If you use Kerberos along with LDAP, you can configure the desktops to use MITv5 Kerberos from a UNIX-based realm. Again, you still lose the advantages of a domain. You need Active Directory for group policies, for instance, and for a central store of groups. Also, setting up cross-realm trusts can be a challenge in MITv5 where it's a breeze in Active Directory.

If you end up deciding to synchronize between your UNIX-based LDAP service and Active Directory, you'll need to invest in a utility that keeps the two databases in sync. This can be a challenge if you have many AD-based domains, or if users can create ad hoc domains, such as on a college campus. Microsoft makes a product called Microsoft Metadirectory Service (MMS) that can do this.

This was first published in October 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: