On 03/10/09 13:12, Hugo Mills wrote:
> (**) ActiveDirectory uses LDAP for authN, and Kerberos for authZ,
> which is actually a better design than the common Unix configuration
> of LDAP for both authN and authZ. One thing that MS did get
> right... :)
<pedant>
well, technically, if authN == 'authentication' and authZ ==
'authorization', then it's the other way around.
LDAP -> user information, ID etc
kerberos -> authentication
</pedant>
This I find to be the difficulty with abbreviations like that :)
Oh and with non-windows clients it's perfectly feasible to use LDAP
against AD for both of these, so LDAP can be both N and Z.
NFS4 effectively uses kerberos for authentication (and encryption, if
you wish!) so can be user-based.
However, many implementations are incomplete IMHO and require some
technical fiddling to make work.
Still, if I were you (this @Rob) I'd steer well clear of kerberos if you
have no experience of it as yet. Setting it up and getting apps to play
nice is not exactly a bundle of laughs :)
LDAP auth with enforced TLS encryption** is perfectly adequate.
Regards,
Stuart (taking his opinion hat off for the weekend now)
** another bundle of joy, but openLDAP can enforce TLS for incoming
connections.
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
