Ramesh Vaidyanathan writes: > I wanted to elaborated a little more on my earliet message. Windows > supports single sign-on using a authentication mode called "Integrated > authentication", but it only works within a single domain and both the > client and server must be part of the domain. But if LDAP must support > such a feature, it has to work across domains and multiple firewalls, > so I am wondering if LDAP protocol supports such feature.
You are looking for the Kerberos <http://web.mit.edu/kerberos/> network authentication protocol. It provides single sign-on. It's a separate protocol from LDAP, but the LDAP Bind operation supports SASL (Simple Authentication and Security Layer), and SASL supports Kerberos via the GSS-API mechanism. I don't know much about either Kerberos or Windows myself. You are asking to compare apples and oranges though. Windows is an operating system, LDAP is just a protocol. You need support for SASL (and parts of Kerberos I presume) in the clients you want to use too. A number of clients only know how to ask for password and DN when you want to authenticate, then it doesn't help that the rest of your system supports Kerberos. For that matter, Windows' Active Directory is a sort of LDAP protocol (except it breaks the standard in some ways) plus more. -- Regards, Hallvard --- You are currently subscribed to [EMAIL PROTECTED] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
