heh, so if I don't get shot for this one... you can just get AD (which is their own smash of LDAP and krb5) and setup your linux applications to auth against it... teee heee (that's what we do here b/c we have to have AD for other things. *runs and hides* It works fine for us.
David On 1/18/07, bak <[EMAIL PROTECTED]> wrote:
$0.02: Using LDAP for authentication would be nice if it worked, but it Just Don't. I've bumped into so many different apps -- commercial and free -- that want to talk to LDAP over an unsecured connection, or don't understand the password hashing that you've decided to use, or worse yet want to read the password field in the clear instead of just expecting OpenLDAP to give a yea or nay. It's ugly. That said, if you know your set of applications with LDAP as a backend is limited, you're in the clear. After a few years of attempting to use LDAP for everything, I gave up and let kerberos handle the authentication part. The worst you can say about it is that if an application isn't kerberized enough to accept a ticket, it can at least take in a username and password pair and go to the KDC itself. But for apps that are kerberized, it's great -- and for web stuff, you can get GSSAPI/SPNEGO going -- it'll look as integrated as ActiveDirectory. :) --bak Magnus wrote: > Nick wrote: >> Any nudges in the right direction would be appreciated. > > Would that include nudging away from LDAP for authentication? It's a > great tool for user metadata and other directory services but for > authentication... KerberosV. Linux does support authentication by > KerberosV mixed with directory services from LDAP. Works great. > > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
