Hear us Roar
| |
|
| Subject: |
|
ldap is not an authentication system |
| Date: |
|
2005-09-07 11:38:20 |
| From: |
|
tim1724
|
Response to: ldap is not an authentication system
|
|
so what's better?
flat files aren't scalable. synchronizing them sucks. For several years we've used a perl script that rebuilt /etc/{passwd,shadow,group} from data in a MySQL database. But installing it on new systems sucked, as it was a lot of work. And it was a real pain to make it work on FreeBSD, which made you jump through hoops whenever /etc/passwd was updated. We've moved to LDAP because every system these days has it built in and adding clients is trivial.
NIS sucks. (no security) NIS+ sucks (broken security, easy to hack, and not present on most systems) .. NetInfo sucks (no security, not present on most systems)
Kerberos is sort of cool. In theory. In real life it just doesn't work. It's too much work to set up, and the users can't figure it out, and most programs don't know about it and can't use it.
LDAP was a royal pain to set up, but now that I have it up and running it works great. And adding new machines is trivial. (except on Solaris .. which doesn't want to talk to OpenLDAP. But it's not too hard to replace Sun's LDAP client with OpenLDAP, and it's not like I'll ever be getting any new Solaris boxes anyway. We're moving to a combination of Linux/FreeBSD/Darwin.)
|
Showing messages 1 through 2 of 2.
-
ldap is not an authentication system
2005-09-25 10:22:59
derekmorr
[View]
-
ldap is not an authentication system
2005-09-11 12:44:33
jfenal@free.fr
[View]
|
Showing messages 1 through 2 of 2.
|
|
| |
What is there for users to figure out? If you setup kerberized login, users will get tickets at login. And many apps (email, ssh, web browsers, etc) support kerberos already.