On Thu, Mar 20, 2003 at 06:28:15AM +1200, Liane Williams wrote: > Thanks for the background info - good to know. > I guess standardisation and interoperability is another advantage of > LDAP. > But LDAP is just a directory access protocol isn't it? What service > offers the actual directory? Is it part of the X500 compliant breed now > on many platforms?
Yes, LDAP is just the directory service, you can't run an authentication system to replace NIC with just LDAP ... However, NIS is "just" a system to distribute configuration files over a network, and besides the inevitable problems in doing that, there's the basic question of having configuration _files_ for system and security onformation available at all. So, you replace the libraries that access files directly (or via NIS) with libraries that call an authentication system, like PAM. Actually, most libraries in a modern unix will have this option available. PAM itself acts as your broker, and will itself use config files, or call a directory for information. Another simplification - LDAP is "just" a fast database, so your PAM could elect to use a SQL database instead. Too many choices are not always a good thing ... :-) > I guess my question is - what is the full Linux/Unix equivalent of > Windows 2000 Active Directory and Domain structure, and Novell's NDS? > Is there a short answer? Now that I'm not sure of, as I've not been convinced that rolling all your data into one delivery service is a good thing. I've only worked at scales where either directories were too much overhead (i.e. small systems) or too limited (large systems). Actually, as with websites, most of the time you don't need dynamism, but it can be handy. Usually I've distributed fixed config files to machines, which means that they can be "fixed" by admins who don't need to know how the distribution method works, only that it exists. Obviously you need to confirm the state of the target before overwriting things ... :-) -jim
