'[ldap] Re: Microsoft ADAM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: Microsoft ADAM
From:       Peter Schober <peter.schober () univie ! ac ! at>
Date:       2007-02-02 18:28:16
Message-ID: 20070202182816.GM1469 () wssp ! cc ! univie ! ac ! at
[Download RAW message or body]

sorry for being pretty much OT with this... OT for the list and even
OT for the current subject...

* Dustin Puryear <dustin@puryear-it.com> [2007-02-02 16:01]:
> As far as I know, you can't "integrate" AD into another
> authentication source directly. AD is the authentication source, as
> far as Microsoft is concerned.

I certainly didn't expect them to make it easy.
authenticating M$ Windows clients via unix kerberos at least seems to
be possible[1]. but I'm just the directory guy (and unix, email,.. ;)
trying to reduce dependencies on and password transfers to certain
other systems.

> That said, most of us have to support large environments with
> multiple LDAP sources, password files, etc. Generally, there will be
> some kind of synchronization, somewhere.

we have developed custom tools to do this (and much more). the problem
is that syncing credentials is actually a lot easier than messing with
these systems to integrate cleanly with existing infrastructures.
(thank goodness our password policy is still not finished ;)
  but it's yet another system that wants to be the authoritative
source for authN (opendirectory, active directory, etc.).

some WebSSO systems seem to have features (at least CAS has a PAM
module; there's some mentioning of CoSign PAM but no sign of code)
that let them venture into the realms (no pun intended) of
kerberos. while this won't help with integrating M$ desktops it would
help with unix/linux/osx maschines and even the occational webmail
system (alleviating the need for proxy authN/n-tier authN).

maybe I should just get stop looking for reasons not to deploy
kerberos and go for it? ;)

regards,
-p.schober

[1] using AD in cross-realm trust with AuthN via some linux KDC or
    using ksetup for standalone PCs like mentioned here
    http://sial.org/howto/kerberos/windows/


---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic