We have already decentralized UNIX authentication based on LDAP Servers. We want to extend this functionality by integrating Windows 2000 authentication on the LDAP Servers too. I've heard it's possible to "replicate" LDAP data into ADS, but I'd like to know if it's possible to keep the authentication out of the Win2000, just like we do in the UNIX world. In summary, we want not to have users in the ADS, but keep them in the LDAP only.
The ease of this interoperation depends on whether you are authenticating users with LDAP or with Kerberos. You won't be able to authenticate the Windows 2000 desktop simply with LDAP. You can look for ways to keep the local desktop password in sync with the LDAP password, but then you have a fleet of standalone machines rather than a unified management domain.
If you use Kerberos along with LDAP, you can configure the desktops to use MITv5 Kerberos from a UNIX-based realm....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Again, you still lose the advantages of a domain. You need Active Directory for group policies, for instance, and for a central store of groups. Also, setting up cross-realm trusts can be a challenge in MITv5 where it's a breeze in Active Directory.
If you end up deciding to synchronize between your UNIX-based LDAP service and Active Directory, you'll need to invest in a utility that keeps the two databases in sync. This can be a challenge if you have many AD-based domains, or if users can create ad hoc domains, such as on a college campus. Microsoft makes a product called Microsoft Metadirectory Service (MMS) that can do this.