Edward Ned Harvey wrote: >>> What is the advantage of going ldap against AD vs. using kerberos ? >> OpenLDAP/kerberos works swimmingly on Linux and Mac, and has >> cheap failover options; I've not gotten a non-AD LDAP/kerberos > > I'm currently able to use either LDAP or Kerberos on Linux, against the AD > structure. It works well, except ... If you want to do this on a laptop, > and leave the network.
You need something to cache the credentials. Macs can do this with their special sauce, linux systems can with the appropriate incantations of pam_ccreds. <snipped Centrify> > your schema. There's just one drawback ... Yes linux, No Mac. (And I > don't know how much it costs, but it's certainly not free.) I believe Likewise can do this, including adding the OD schema extensions for OS X into AD. And it supports linux. Note, I have no vested interested in any of the commercial offerings listed -- just passing along some research. :) > I have also scrapped the golden triangle, and gone for straight up, > all-Apple OD. Fully blessed, all-Leopard clients and server, fresh > installs, legitimate Apple everywhere, including hardware, and support > contracts..... Unless Apple has drastically improved OD, I would be loathe to use it except on someone I intensely disliked. However, I've not looked at it for a while. > I was thoroughly un-impressed with either solution. I had problems like ... > Get home with my macbook, and try to login, and have to wait for a 2 minute > timeout before my credentials succeed and I'm logged in. ... We had this problem integrating our Macs into AD. When the laptops went home, they couldn't login. It seems that the timeout for either doing DNS lookups for the kerberos server, or actually doing kerberos against the servers was longer than the login-fail-and-start-over timeout on OS X. We "fixed it" by using ipfw on the OS X clients to block with an icmp error message any kerberos or LDAP attempts against our servers from anything outside our address space, which included our macs at home. In other words, rather than waiting forever and timing out, you got an immediate icmp failure, and went to cached credentials. -- -- John E. Jasen ([email protected]) -- "Deserve Victory." -- Terry Goodkind, Naked Empire _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
