Adam Tauno Williams <[email protected]> writes: > On Thu, 2009-12-10 at 22:01 -0700, Yves Dorfsman wrote: > > Richard Chycoski wrote: > > > AD is solid, scalable, and well supported. There *are* some gotchas if > > > you are looking for 100% LDAP compatibility, but for authc/authz (login, > > > groups, etc.) nothing else performs quite as well. (I do hope that Open > > > LDAP catches up!) > > What is the advantage of going ldap against AD vs. using kerberos ? > > AD is Kerberos. LDAP and Kerberbos are not the same thing > (identification vs. authorization). You need LDAP + Kerberos or you > need AD.
You can authenticate straight to ldap without using kerberos, if you want. Kerberos is nicer, though, as you get your ticket granting ticket, and you don't need to re-authenticate for 8 hours if you have everything setup right. authenticating drectly to ldap is very much like a 'slightly more secure NIS' - which is to say, you still need to type your password every time you login. (there's also a set of patches for OpenSSH, OpenSSH-LPK, that allow you to store a users public key in ldap rather than in ~/.ssh/authorized_keys which is better than passwords, if kerberos is not an option. Kerberos is porobably the best tool for this job, though.) _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
