>But what exactly happens at the NT PDC??? > > This is documented a little in the admin guide: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859334 quoting: NT4 LDAP Service. This is a special LDAP server application that must be installed on the primary domain controller for NT4 sync. It is only used for NT4 and is not needed for Active Directory deployments. The purpose of the NT4 LDAP Service is to provide a similar view of users and groups as is available via LDAP from Active Directory. This allows almost all of the Directory Server Windows Sync code to be the same for both Active Directory and NT4. How it works may give you some better insight: NT4, unlike AD, does not support LDAP. It does however have an API that allows an application running on the PDC to read and write the NTLM user database. This is called the 'NetXXX api' because many of the functions have names like 'NetUserEnum()'. What the NTDS does is to 'reflect' that API as an LDAP server. It does this using ApacheDS (chosen because it gives us a working LDAP server that can be quickly customized, and because it will run without huge testing effort on an old platform like NT4), and a custom ApacheDS back-end. The back-end provides a shim between the ApacheDS internal database interface and the NetXXX api. It does this using a combination of C++ to talk directly to the API, and then a swig-generated shim to JNI which in turn is driven by a simple Java class in the custom back end. The top level goal for the NTDS is to 'emulate' AD on NT4. The idea was to code the winsync part of FDS to speak to AD alone, and do all the NT4 weirdness on the NT side. It turns out to be hard/impossible to do that 100% (some schema is quite different for example). So you will see some 'if (nt4) ... ' code in FDS winsync, but not a whole lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20051201/cea26fb4/attachment.html
