Yves Dorfsman wrote: > Richard Chycoski wrote: > > >> AD is solid, scalable, and well supported. There *are* some gotchas >> if you are looking for 100% LDAP compatibility, but for authc/authz >> (login, groups, etc.) nothing else performs quite as well. (I do hope >> that Open LDAP catches up!) > > What is the advantage of going ldap against AD vs. using kerberos ? > If you go with LDAP + Kerberos (AD or other), you get portable authentication (Ticket Granting Tickets) that allow you to obtain many services with a single sign on. In some environments this can mean single-sign-on-for-everything, in others it at least reduces the number of times that you need to supply your password. Simple LDAP doesn't do this. Beware, however, that this can expose credentials on poorly-secured, shared machines, something that is a problem with just about every system that uses stored credentials.
Chris Reisor wrote: > NDS became eDirectory. It hasn't been NDS for many years. Yes, but that initial product was NDS, which was 'working' for several years before AD came on the market. By the time it became eDirectory, Novell had already lost the market. And having worked on NDS in the Netware3.x/4.x days, I can understand why they didn't take the market by storm - if you think AD is 'proprietary', NDS was 'cloistered'. Most of the tools that were needed to make it work were not documented, and at one point I had to spend many hours on the phone, even with the help of our 'platinum reseller' (otherwise it would have been *days*), just to get the magic incantation to remove an orphaned OU. And it was as simple as adding two or three operands to a command that was already on the system! It was also extremely difficult to get useful programming documentation to interact with NDS - I did eventually write an NLM to run on Netware 4.11 that could build user accounts synced to an external data source, but it was like pulling teeth to get the API to do anything more than the basics. (Sure you can make an account - but you want it to have some attributes? So sad for you. :-) I finally found an internal newsgroup support forum at Novell where it appeared that the one, lone Novell employee who was both cluefull and also empowered to speak to the unwashed masses could be found. This combination was virtual unobtainium! I found NDS to be very fragile - but then, early AD was somewhat fragile too. Fortunately, I didn't have to work with it directly until Win2k3, by which time it was very solid. I left Novell behind (changed jobs) just as eDirectory was being released. Instead, I got to work with *oh so wonderful* NIS+ (yet another proprietary directory service not ready for prime time :-). - Richard _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
