[Gllug] LDAP

Simon Stewart sms at lateral.net
Tue Sep 25 14:22:41 UTC 2001 

On Tue, Sep 25, 2001 at 02:46:56PM +0100, Alex Hudson wrote:
> On Tuesday 25 September 2001 14:20, you wrote:
> > Methinks it is high time we had a round table, seminar, whatever on LDAP,
> > and single sign-on.
> 
> Single sign-on requires the Kerberos monster.

Surely that's only if you want an LDAP v3 compliant server? I assure
you that it is perfectly possible to authenticate against an LDAP
server without needing Kerberos. 

You just can't do it hugely securely ;)

> LDAP is cool, but requires a lot of setting up and is particularly unhelpful. 

I don't mind a high initial effort to set things up --- that's not the
issue --- it's the ease of maintainence of plentiful user accounts
across numerous servers that I'm desirous of. The long term benefits
certainly appear to outweigh the short-term costs of the project, and,
once complete, a whole new world of convience opens up --- do I want a
certain user to be able to access the staging web server? Simple, make
a change in the LDAP directory. Do I want to allow user X to have SSH
access to the mail server? There's an "ssh" PAM module, so in theory,
it should just be a matter of configuring that once and making use of
the LDAP directory.

Of course, it's entirely possible that I've grabbed the wrong end of
the stick and therefore view LDAP as a panacea to ills it cannot cure,
but I know that it _does_ alleviate some of the pain of sysadminning
multiple users on multiple systems.

I'm curious about your use of the word "unhelpful": do you mean that
LDAP doesn't provide much diagnostic feedback, or that the tools are a
PITA to use, or something else?

> I personally want to see Kerberos support built into Winbind, much like 
> Win2k, but with support for Unix single authorization and ACLs. Which don't 
> exist :(

There are several Linux based ACL projects out there, not least of
which is POSIX ACLs, but you're right, it would be a nice thing to see.

Cheers,

Simon

-- 
Only two things are infinite: the Universe and human stupidity, and I'm
not sure about the former - Albert Einstein

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list