Ramesh Vaidyanathan writes:
> I wanted to elaborated a little more on my earliet message. Windows
> supports single sign-on using a authentication mode called "Integrated
> authentication", but it only works within a single domain and both the
> client and server must be part of the domain. But if LDAP must support
> such a feature, it has to work across domains and multiple firewalls,
> so I am wondering if LDAP protocol supports such feature.

You are looking for the Kerberos <http://web.mit.edu/kerberos/> network
authentication protocol.  It provides single sign-on.  It's a separate
protocol from LDAP, but the LDAP Bind operation supports SASL (Simple
Authentication and Security Layer), and SASL supports Kerberos via the
GSS-API mechanism.  I don't know much about either Kerberos or Windows

You are asking to compare apples and oranges though.  Windows is an
operating system, LDAP is just a protocol.  You need support for SASL
(and parts of Kerberos I presume) in the clients you want to use too.
A number of clients only know how to ask for password and DN when
you want to authenticate, then it doesn't help that the rest of your
system supports Kerberos.

For that matter, Windows' Active Directory is a sort of LDAP protocol
(except it breaks the standard in some ways) plus more.


You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to