Jeffrey Hutzelman wrote:
On Friday, February 25, 2005 12:08:05 PM -0800 Mike Fedyk <[EMAIL PROTECTED]> wrote:
I'd suggest getting some documentation on the internals of AD and Kerberos so this project can move forward. Can anyone suggest some good books for this (and maybe for the SCSI protocol too -- separate issue entirely though)?
The Kerberos protocol is well documented; in fact, it is an Internet standards-track specification. For the current specification, see draft-ietf-krb-wg-kerberos-clarifications-07.txt, RFC3961, and RFC3962.
This is a bit off-topic, but the SCSI protocol is also fairly well documented; it is an IEEE standard. For an overview of the SCSI-3 architecture and links to the drafts describing its architecture, transports, and command sets, see <http://www.t10.org/scsi-3.htm>
It should be noted that AD is not just a Kerberos server; it's also an LDAP server. The LDAP protocol is also an Internet standards-track protocol, which is the subject of ongoing work in the ldapbis working group. See http://www.ietf.org/html.charters/ldapbis-charter.html
Thanks for the info, and I'll be reading them, but specifically what I was asking for are books that introduce each technology much like a book on programming. I already understand some of the concepts used in them, but want to flesh out my knowledge on them and learn common techniques that probably won't be in a RFC or specification. You wouldn't happen to know of any books like that, would you?
Unfortunately, the problem is that AD is more than just LDAP and Kerberos; it requires specific extensions, some of which are poorly-documented, if at all.
Don't you love standards track protocols that *aren't fully documented*?!
As Jeff has noted, it is certainly possible to build a replacement for AD; in fact, there are a couple such projects which have already been mentioned in this thread.
However, such an effort is out of scope for the OpenAFS project. OpenAFS is not an authentication service or a directory service, which are the things AD does, and so it is not a replacement for AD. AFS is a distributed network filesystem, and it fills that role extremely well -- so well, in fact, that I have yet to see its equal. However, it is not a complete distributed computing infrastructure, and does not purport to be. No amount of asking "how can I have users log in to my windows box without having local accounts or a directory service" will change the fact that a directory service is an essential component in any such system, and that service is simply not what AFS does.
Yes, this is off-topic for this list. Though I ask that this thread be let to end on its own, since it has been quite helpful to me (yes, I'm that selfish ;).
If you are interested in work toward providing distributed computing infrastructure based on Kerberos and LDAP, I suggest you check out work like XAD (<http://www.padl.com/Products/XAD.html>) and the Hurderos project (<http://www.hurderos.org/>).
Hmm, I haven't heard of Hurderos before. I really am not in XAD's market since I don't have the money, and I won't be able to justify spending money for it when it could buy us a second Win2k3 server instead. Does Hurderos have a mailing list? They don't have one listed on their site.
Mike _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
