Yves Dorfsman wrote: > John Jasen wrote: >> Yves Dorfsman wrote: >>> Richard Chycoski wrote: >>> >>> >>>> AD is solid, scalable, and well supported. There *are* some gotchas if >>>> you are looking for 100% LDAP compatibility, but for authc/authz (login, >>>> groups, etc.) nothing else performs quite as well. (I do hope that Open >>>> LDAP catches up!) >>> What is the advantage of going ldap against AD vs. using kerberos ? >> kerberos is authentication only. LDAP will hold all the stuff you need >> to have a functional account. >> >> At a basic level, I've explained kerberos as a networked /etc/shadow, >> and LDAP as a networked /etc/passwd. > > Thanks. That makes sense. I have used kerberos "clients" on UNIX against AD, > but we were using locally defined accounts.
If you install some version of Services For Unix on your Windows primary domain controllers[1] (and, if I recall, screw with the NIS service a bit)[2], you can get the full RFC2307 nis schema for LDAP stuff you need to pull account information from AD as well[3]. [1] Windows 2000, Windows 2003: install Services For Unix Windows 2003R2, I believe the SFU stuff is on the install disks somewhere. Windows 2008 and beyond: no clue yet. :) [2] Running NIS is not necessary, but I think adding the RFC2307 schema is somewhere in the NIS service setup. In this, my memory may be dusty. [3] You will need to map lookups on your client systems, /etc/ldap.conf on linux; ldapclientconfig (I think) on Solaris. I can send you examples when I get back to work. -- -- John E. Jasen ([email protected]) -- "Deserve Victory." -- Terry Goodkind, Naked Empire _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
