Am Donnerstag, 1. Dezember 2005 17:53 schrieb David Boreham:
>But what exactly happens at the NT PDC???
This is documented a little in the admin guide:
^^^^^ exactly ;)
Yes I know it and it doesn't tell me much about how it works. So I'm messed
up
a little when dealing with problems. :(
How it works may give you some better insight:
NT4, unlike AD, does not support LDAP. It does however have an API
that allows an application running on the PDC to read and write the NTLM
user database. This is called the 'NetXXX api' because many of the
functions have names like 'NetUserEnum()'.
What the NTDS does is to 'reflect' that API as an LDAP
server. It does this using ApacheDS (chosen because it gives us a working
LDAP server that can be quickly customized, and because it will run without
huge testing effort on an old platform like NT4), and a custom ApacheDS
back-end.
The back-end provides a shim between the ApacheDS internal database
interface
and the NetXXX api. It does this using a combination of C++ to talk
directly to the API, and then a swig-generated shim to JNI which in turn is
driven by a simple Java class in the custom back end.
So it is not a login, but a
service-to-service-talk. Then the ApacheDS doesn't
have to know the account (uid and pw), because it is running as a privileged
service - is this right?
The top level goal for the NTDS is to 'emulate' AD on NT4.
The idea was to code the winsync part of FDS to speak to
AD alone, and do all the NT4 weirdness on the NT side.
It turns out to be hard/impossible to do that 100% (some schema
is quite different for example). So you will see some 'if (nt4) ... '
code in FDS winsync, but not a whole lot.
Ok thats quite elegant. I see.
So the only uid/pw combination I need to know and to have (create) at the PDC
side is in fact the ApacheDS Directory Manager (uid=admin,ou=system) ? And it
has nothing to do with any existing account in the windows domain (user or
admin)... did I get this right?
Wau, great explanation, thank you... please put something similar to the
manual - I think a lot of people will need it, or at least want to know how
it works.
See U
Hartmut
--
===========================================
Hartmut Woehrle
EMail: hartmut.woehrle(a)mail.pcom.de