AD is a bad choice for the enterprise directory
|
| Author | Content |
|---|---|
| cdmiller Dec 16, 2004 6:42 AM EDT |
Better to use openldap for the auth and the enterprise dir, and populate AD from it. Openldap gives you access to the password hash, so you can possibly migrate without having every user go through a password reset. Openldap pays attention to the LDAP standards. AD does stupid things like subverting the use of the cn or common name attribute, treating it as single valued and unique. Openldap's replication capabilities are far superior to what AD or NDS offer. |
| cjcox Dec 16, 2004 9:31 AM EDT |
Sounds good... but as long as AD is a M$ thing, supplanting M$ is not always guaranteed to work down the road or in every possible M$ scenario. But I highly recommend ditching AD if that works for your environment... just hard to predict the future. |
| tuxchick Dec 16, 2004 10:11 PM EDT |
Friends don't let friends use Active Directory. The interface is the right idea, but as usual under the hood it's a gawdawful mess. Linux needs some good directory services, and I hope Novell steps up and delivers these. In my not so humble opinion, Netware is the best network operating system. Once they develop full Linux support, it's going to be a huge boost for Linux, and it's going to make managing large mixed networks a lot easier. |
| cjcox Dec 17, 2004 7:27 AM EDT |
Obviously my future is an all-Linux world... in case there's any doubt of where I stand. Linux all about integration... so while it's still a very mixed world, it's nice to know that Linux provides many, many, many ways of participating in an AD network... or even supplanting it (where that works ok). Can't say the same about M$'s integration paths even with SFU (pee yew!). The techniques I use (implementation left to the reader): 1. (For large legacy entrenched *ix environments) Have the AD domain login script reference a Samba share which in turn automaticall creates the NIS account for the user with password authentication PAM/winbindd enabled (which believe it or not can be done for AIX, Solaris and HPUX in addition to Linux) back to the AD password server. 2. Use SSH keys generated by the AD login script to facilitate password-less access from Windows domain authenticated clients (accounts are replicated again using NIS or LDAP or even local files). Passwords (generally not needed) can be PAM/winbindd enabled again. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!