On 03/10/09 13:12, Hugo Mills wrote: > (**) ActiveDirectory uses LDAP for authN, and Kerberos for authZ, > which is actually a better design than the common Unix configuration > of LDAP for both authN and authZ. One thing that MS did get > right... :)
<pedant> well, technically, if authN == 'authentication' and authZ == 'authorization', then it's the other way around. LDAP -> user information, ID etc kerberos -> authentication </pedant> This I find to be the difficulty with abbreviations like that :) Oh and with non-windows clients it's perfectly feasible to use LDAP against AD for both of these, so LDAP can be both N and Z. NFS4 effectively uses kerberos for authentication (and encryption, if you wish!) so can be user-based. However, many implementations are incomplete IMHO and require some technical fiddling to make work. Still, if I were you (this @Rob) I'd steer well clear of kerberos if you have no experience of it as yet. Setting it up and getting apps to play nice is not exactly a bundle of laughs :) LDAP auth with enforced TLS encryption** is perfectly adequate. Regards, Stuart (taking his opinion hat off for the weekend now) ** another bundle of joy, but openLDAP can enforce TLS for incoming connections. -- Stuart Sears RHCA etc. "It's today!" said Piglet. "My favourite day," said Pooh. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
