Re: Is is possible to have Active Directory use a different LDAP server for logging in users?
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 21 Dec 2006 16:08:33 -0500
It is if you can kerberize the Tivoli stuff and make it into its own realm (i.e. like a domain). Then you tell AD to trust that realm and it will be similar to using another trusted domain.
Otherwise no, LDAP isn't a good auth mechanism and isn't an auth protocol at all despite the fact that people use it for that. Windows uses kerberos for Auth because it is a true auth protocol designed specifically for that purpose.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Ian Becker wrote:
In our current environment, we have a Tivoli Directory server that is.
our main LDAP server, would it be possible to have Active Directory
pass through logons to that to authenticate users without actually
replicating the databases?
Thanks,
Ian
- Follow-Ups:
- References:
- Prev by Date: Re: Reset account lockout counter after
- Next by Date: Re: Using AD to control application group membership
- Previous by thread: Is is possible to have Active Directory use a different LDAP server for logging in users?
- Next by thread: Re: Is is possible to have Active Directory use a different LDAP server for logging in users?
- Index(es):
