Linking Active Directory to LDAP

1
Linking Active Directory to LDAP

• Steven M. Ostrove
• Brian Brzezicki

2
An Overview of the UMBC Windows Active Directory
3
Background

• UMBC is a medium size public research university
• 9,101 Undergraduate students (ft/pt)
• 1,658 Graduate students (ft/pt)
• 550 Faculty
• 1,184 Staff

4
Computing Infrastructure

• Centralized model managed by OIT
• Various flavors of UNIX/LINUX provide most
  services
• Kerberos (V5) is authentication mechanism of
  choice
• Large AFS presence (terabyte)
• Persistent Storage for Students
• Minimal Win/NT domains
• LAN Services based on Netware

5
Current LAN Services

• File and print service for faculty, staff and
  open labs no students!
• Novell NDS based
• 5 central Novell (4.2) servers
• 1,624 user objects
• Novell print queues support PC/MAC/Unix printing

6
UMBC Windows 2000 Goals

• Create a Windows 2000 (Win2k) domain (Active
  Directory) to provide LAN services (file, print,
  web, mail, etc.) to the entire campus community
• Support single sign-on functionality by linking
  Win2k authentication with UMBCs Kerberos realm

7
Authentication in Windows 2000

• Two choices
• Kerberos Version 5
• Default authentication protocol for network
  authentication on computers with Windows 2000 and
  Windows XP
• Windows NT LAN Manager (NTLM)
• Retained in Windows 2000 for compatibility with
  downlevel clients and servers. NTLM is also used
  to authenticate logins to standalone computers
  with Windows 2000

8
Kerberos in Windows 2000

• Implemented as defined in RFC 1510
• Utilizes the authorization data field within the
  TGT to carry Security Identifiers (SIDs)
• Will work with external MIT KDCs (Version 5)

9
Hardware Requirements

• Domain Controllers (2)
• Dell PowerEdge 2450
• Dual Pentium III 733 MHz
• Memory 512 MB
• 18 GB Hard drives (2) RAID 1
• Dual Power Supplies
• Dell Remote Access Cards
• Uninterruptable Power Supply
• APC SmartUPS 2200

10
Active Directory Model

• Initial Thoughts
• Single domain model of AD
• Use an external kerberos KDC for authentication
• Shadow accounts will be created in the AD for
  each account in the canonical directory. These
  accounts will provide the security descriptors
  for the user
• Passwords for these accounts will be randomly
  generated as users will never need to login
  directly to the AD

11
Active Directory Model

• Major Problem!
• This model is only appropriate if ALL
  workstations are Win2K or WinXP
• Downlevel clients, Win95, Win98, WinME, and WinNT
  use NTLMv2 authentication, NOT kerberos
• MAC client currently uses NTLM authentication

12
Active Directory Model

• Current Revision
• Single domain model of AD
• Use the default Windows authentication
• Kerberos for Win2K and WinXP
• NTLMv2 for downlevel Windows clients
• Not sure what to do about MACs
• Accounts will be created in the AD for each
  account in the canonical directory
• Passwords for principals in the AD will be
  synchronized with the corresponding principals in
  the Kerberos realm

13
A Picture Is Worth 1000 Words
14
AD Design
MIT KDC
LDAP
15
AD Design
MIT KDC
LDAP
KDC
winad.umbc.edu
16
AD Design
MIT KDC
LDAP
Connector
KDC
winad.umbc.edu
WebAuth
17
AD Design
MIT KDC
LDAP
Connector
KDC
winad.umbc.edu
WebAuth
18
AD Design
MIT KDC
LDAP
Connector
KDC
winad.umbc.edu
WebAuth
Win2K Workstation
19
AD Design
MIT KDC
LDAP
Connector
1
KDC
winad.umbc.edu
WebAuth
Win2K Workstation
20
AD Design
MIT KDC
LDAP
Connector
2
KDC
winad.umbc.edu
WebAuth
Win2K Workstation
21
AD Design
MIT KDC
LDAP
Connector
3
KDC
winad.umbc.edu
WebAuth
Win2K Workstation
22
AD Design
MIT KDC
LDAP
Connector
KDC
winad.umbc.edu
WebAuth
4
Win2K Workstation
23
AD Design
MIT KDC
LDAP
Connector
KDC
winad.umbc.edu
WebAuth
Win2K Workstation
24
AD Design
MIT KDC
LDAP
a
Connector
1
2
3
KDC
winad.umbc.edu
WebAuth
4
Win2K Workstation