[Fedora-directory-users] Winsync Problem with NT4
David Boreham
david_list at boreham.org
Thu Dec 1 16:53:49 UTC 2005
>But what exactly happens at the NT PDC???
>
>
This is documented a little in the admin guide:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334
quoting:
NT4 LDAP Service. This is a special LDAP server application that must be
installed on the primary domain controller for NT4 sync. It is only used
for NT4 and is not needed for Active Directory deployments. The purpose
of the NT4 LDAP Service is to provide a similar view of users and groups
as is available via LDAP from Active Directory. This allows almost all
of the Directory Server Windows Sync code to be the same for both Active
Directory and NT4.
How it works may give you some better insight:
NT4, unlike AD, does not support LDAP. It does however have an API
that allows an application running on the PDC to read and write the NTLM
user database. This is called the 'NetXXX api' because many of the functions
have names like 'NetUserEnum()'.
What the NTDS does is to 'reflect' that API as an LDAP
server. It does this using ApacheDS (chosen because it gives us a working
LDAP server that can be quickly customized, and because it will run without
huge testing effort on an old platform like NT4), and a custom ApacheDS
back-end.
The back-end provides a shim between the ApacheDS internal database
interface
and the NetXXX api. It does this using a combination of C++ to talk directly
to the API, and then a swig-generated shim to JNI which in turn is driven
by a simple Java class in the custom back end.
The top level goal for the NTDS is to 'emulate' AD on NT4.
The idea was to code the winsync part of FDS to speak to
AD alone, and do all the NT4 weirdness on the NT side.
It turns out to be hard/impossible to do that 100% (some schema
is quite different for example). So you will see some 'if (nt4) ... '
code in FDS winsync, but not a whole lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051201/cea26fb4/attachment.htm>
More information about the Fedora-directory-users
mailing list