RE: Active directory and Perl-ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 23 Apr 2001, Dave Mills wrote:

> We use only AD here for our LDAP server and haven't had any major issues.  I
> think I can shed some light on the issues being discussed.  Also, I would be
> more than happy to write an Active Directory and LDAP FAQ.  If anyone's
> interested please drop me a note with topics that you'd like to see
> covered...  See in-line for answers to questions posed in this thread....
>
> > -----Original Message-----
> > From: ma...@mj... [mailto:ma...@mj...]
> > Sent: Monday, April 23, 2001 10:50 AM
> > To: per...@li...
> > Subject: RE: Active directory and Perl-ldap
> >
> >
> > Aha, just as I expected.
> >
> > One of the right things MS did with W2K is to realize that LDAP is
> > not an authentication protocol, however, mightily we try to make it
> > one (and keep in mind that I've written *alot* of LDAP
> > authentication code in my time).
> >
> > No, AD uses Kerberos for its authentication protocol.
> >
>

- Sorry to be pendantic, but AD supports SASL/GSSAPI using kerberos V.
You need a K5 based gssapi to talk to it.
To talk to it using perl-ldap, you'd need a SASL and a kerberos
V GSSAPI module.

- Microsoft distributes some example code and libraries that will
allow you to use Netscape C SDK ( version 3.1) to talk to AD.
Unfortunately, you can't use the SASL framework in the netscape
SDK[1] to talk to AD. The MS stuff adds an extra bind call that
does the ldap sasl gssapi bind.

- I <think> it should be possible to use OpenLDAP 2.0 to talk
to AD using SASL/GSSAPI, but I haven't had a chance to actually
try it yet.

- Booker C. Bense

[1]- Netscape has some very strange ideas about how to do
SASL.