Hi Adrian,
> Chris> I'll be really really really happy if something like this
> Chris> can be done, because as I mentioned in my previous post, I
> Chris> have to (unfortunately), rely on Microsoft technologies for
> Chris> certain aspects of my organisation. Now Microsoft
> Chris> (regardless of popular belief) is not so bad anymore -
> Chris> talking from the 2000 range of products. At the moment, I
> Chris> have W2K Professional here, and its a killer.
>
> A killer what ? :-)
Once again stating that I am not a Microsoft fanatic, I do however feel that
Microsoft has to be given credit for their development towards their range
of 2000 products. Especially Win2000 (Server & Professional) aswell as SQL
2000. Performance wise, I must admit I am not really at liberty to brag
about it, I only use a 166MHz pentium here. But feature wise, its definately
starting to catch up. Simple examples will be the inclusion of decent
packet filtering in Win2000 and QoS services. But in anycase, this is not
the discussion we are having, is it? :)
> Chris> If there are ways to use cross platform databases, I'm
> Chris> really interested to hear about them. Having Exim use a MS
> Chris> database is just the start of my mission. In the long run,
> Chris> I personally, wish to see this type of support regarding
> Chris> databases just about in any product or service. Imagine
> Chris> Linux's PAM doing authentication from within SQL or other
> Chris> Databases?
>
> Your mission ? At any rate, every database is different to work
> with. Telnetting is not an option. You have to use the suppliers
> libraries which means you haven't got a hope with MSSQL as its Windows
> only and exim is Non-Windows.
Yes, I founded that out now :) Thanks for all the people pointing me into
the right direction. I've also started my own development towards an MS-SQL
engine for Linux which well, is hopefully going to work. As far as MS-SQL
directly goes... I do have in posestion the development libraries used to
program SQL applications on the Windows platform. I know there is a huge
difference between the two platforms (Microsoft & Unix), and I am also aware
of the fact that there allready are quite a few libs for Unix which supports
MS-SQL connectivity. Which is why I have decided to jump a bit into such
developments, and see what I can come up with. If I am successfull towards
my developments, perhaps we'll see in the not to distant future perhaps
inclusion for more databases in Exim, and Linux in general. Once again,
closing the cap more between these various platforms, and making it easier
(and even possible), to use information across various OS platforms without
any difficulty.
> Chris> You can immediately use all your authentication through any
> Chris> application or OS version you like. Be it Windows, be it
> Chris> Linux, be it IBM (OS//2), or even a Apple MAC.
>
> Umm, you mean LDAP then. If you have to use Windows 2000 then setup
> Active directory and try interfacing to that from exim. I haven't got
> a clue if it will work not as Microsofthave done things to Active
> directory which isn't quite standard LDAP, surprise.
Err, not wanting to be a expert here, but isn't LDAP a protocol used for
locating people? Used by things like ICQ and NetMeeting and Voice-over-IP
connections? I may be wrong here yes I know :) As far as authentication as
a basic goes, Win2000 allready supports Kerberos which I believe is in some
way compatible with the unix versions. This allready allows for
authentication to happen cross platform. This however, is not what I have
in mind. By doing this, you will still have to rely on a dedicated server
(or servers) to host you account data in well, non sufficient ways? What
happens for instance, if you have a Web site, which has to authenticate
users right arround the world, on a single page? Surely, doing this over
HTML and authenticating these users over something like Kerberos or NTLM
authentication puts severe stress on servers, and also means allot of
programming from a development side of view. While when you port all of
these "globally" used information to a database, you instantly have the
ability to access the information from anywhere in the world, with any
application which requires it, without any additional costs in regards to
possibly having to setup secondary servers and such. I'm not even to sure
if I'm explaining this in the best way, but I'm sure you are starting to get
what I'm getting at here.
As far as Active Directory goes.... Well... It's a geographically based
location manager of NT servers on a Network. It uses DNS to put records
into DNS zones to automatically update basic information about the various
NT servers on your Network. NOTE: NETWORK, NOT DOMAIN! Then your primary
DNS Zone is broken up into sub-domains each with its own set of NS records,
and every PDC gets authenticated SOA records for its subdirectory. In
otherwords, it shows the Microsoft applications which server to query for
information about a particular user on a particular domain.
This is also once again starting to go way off topic from the mailing list,
but if I can just go into this quickly, here is what a basic DNS tree for
Active Directory looks like:
@ IN SOA ns1.sunnyline.co.za.
dnsadmin.sunnyline.co.za. (
40 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL
;
; Zone NS records - Top order of Active Directory Tree
@ NS ns1.sunnyline.co.za.
@ NS ns2.sunnyline.co.za.
@ NS ns3.sunnyline.co.za.
@ NS darkwing.office.sunnyline.co.za.
darkwing.office A 192.168.0.1
; Delegated sub-zone: office.sunnyline.co.za. - Domain acting as part of
the Active Directory
office NS darkwing.office.sunnyline.co.za.
darkwing.office A 192.168.0.1
; End delegation
The Office.sunnyline.co.za domain zone will then automatically be updated
with what Microsoft calls, WKS Records (Well Known Service), which tells
Microsoft applications at which IP address a specific service is. For
instance, it might have a WKS Record for the Kerberos Authentication
service, putting the information in the zone file, that
office.sunnyline.co.za authenticates with means of Kerberos authentication,
at location z.y.x.v. Yes, I aggree its not the savest way to do this,
anyone has access to see the information and access your information about
your network services through DNS, but that's not my call to make. I just
wanted to give you a better idea of what Active Directory is, and how it is
working.
By combining Exim to Active directory, you will still need to program an
actual interface to use the various NT Services to get a actual username for
that matter. Which, brings us back to step one, which is having to programm
something that can query NT based services to get USERNAMES or access NT
based DATABASES which holds account databases.
If you however can get to the idea that you access NT's SAM (Security
Account Manager) Database, then you hit the bulls eye, because the SAM
Database on NT is like /etc/passwd. It holds EVERY single bit of
information regarding to the NT account lists. It is however, very hard to
program something to access this, and to my knowledge, Microsoft is the only
company having the code on how to access information from within the SAM
database. Perhaps when and if I start to hunt arround, I may be able to
find some information on how to query the SAM DB though, but for now, I'd
firstly like to stick towards getting my MS-SQL implementation complete.
> Sincerely,
>
> Adrian Phillips
>
> --
> Your mouse has moved.
> Windows NT must be restarted for the change to take effect.
> Reboot now? [OK]
>
> --
Hmmm, exactly the kind of attitute I want to see get changed over the next
few years.... For the record, You hardly ever need to reboot Win2000
anymore :) You can even install new NIC drivers and change IP routing tables
and addresses without rebooting. Yes yes, I know its standard on Linux, but
think MS style now OHKAY ? :))
Regards,
Chris Knipe
Cell (083) 430-8151