How can we have users in the ADS, but keep them in the LDAP only?
We have already decentralized UNIX authentication based on LDAP Servers. We
want to extend this functionality by integrating Windows 2000 authentication on the LDAP Servers
too. I've heard it's possible to "replicate" LDAP data into ADS, but I'd like to know if it's
possible to keep the authentication out of the Win2000, just like we do in the UNIX world. In
summary, we want not to have users in the ADS, but keep them in the LDAP only.
The ease of this interoperation depends on whether you are authenticating users with LDAP or
with Kerberos. You won't be able to authenticate the Windows 2000 desktop simply with LDAP. You can
look for ways to keep the local desktop password in sync with the LDAP password, but then you have
a fleet of standalone machines rather than a unified management domain.
If you use Kerberos along with LDAP, you can configure the desktops to use MITv5 Kerberos from a
UNIX-based realm. Again, you still lose the advantages of a domain. You need Active Directory for
group policies, for instance, and for a central store of groups. Also, setting up cross-realm
trusts can be a challenge in MITv5 where it's a breeze in Active Directory.
If you end up deciding to synchronize between your UNIX-based LDAP service and Active Directory,
you'll need to invest in a utility that keeps the two databases in sync. This can be a challenge if
you have many AD-based domains, or if users can create ad hoc domains, such as on a college campus.
Microsoft makes a product called Microsoft Metadirectory Service (MMS) that can do this.
This was first published in October 2001