[Fedora-directory-users] Winsync Problem with NT4

Hartmut Wöhrle hartmut.woehrle at mail.pcom.de
Thu Dec 1 17:51:49 UTC 2005 

Am Donnerstag, 1. Dezember 2005 17:53 schrieb David Boreham:
> >But what exactly happens at the NT PDC???
>
> This is documented a little in the admin guide:
                                  ^^^^^     exactly ;)
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334
>
Yes I know it and it doesn't tell me much about how it works. So I'm messed up 
a little when dealing with problems. :(

> How it works may give you some better insight:
>
> NT4, unlike AD, does not support LDAP. It does however have an API
> that allows an application running on the PDC to read and write the NTLM
> user database. This is called the 'NetXXX api' because many of the
> functions have names like 'NetUserEnum()'.
> What the NTDS does is to 'reflect' that API as an LDAP
> server. It does this using ApacheDS (chosen because it gives us a working
> LDAP server that can be quickly customized, and because it will run without
> huge testing effort on an old platform like NT4), and a custom ApacheDS
> back-end.
> The back-end provides a shim between the ApacheDS internal database
> interface
> and the NetXXX api. It does this using a combination of C++ to talk
> directly to the API, and then a swig-generated shim to JNI which in turn is
> driven by a simple Java class in the custom back end.
So it is not a login, but a service-to-service-talk. Then the ApacheDS doesn't 
have to know the account (uid and pw), because it is running as a privileged 
service - is this right?

>
> The top level goal for the NTDS is to 'emulate' AD on NT4.
> The idea was to code the winsync part of FDS to speak to
> AD alone, and do all the NT4 weirdness on the NT side.
> It turns out to be hard/impossible to do that 100% (some schema
> is quite different for example). So you will see some 'if (nt4) ... '
> code in FDS winsync, but not a whole lot.
Ok thats quite elegant. I see. 

So the only uid/pw combination I need to know and to have (create) at the PDC 
side is in fact the ApacheDS Directory Manager (uid=admin,ou=system) ? And it 
has nothing to do with any existing account in the windows domain (user or 
admin)... did I get this right?

Wau, great explanation, thank you... please put something similar to the 
manual - I think a lot of people will need it, or at least want to know how 
it works.

See U 
Hartmut

-- 
===========================================

    Hartmut Woehrle
    EMail: hartmut.woehrle at mail.pcom.de

More information about the Fedora-directory-users mailing list