[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
- To: "Howard Chu" <hyc@xxxxxxxxx>
- Subject: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
- From: "Nathan Hruby" <nhruby@xxxxxxx>
- Date: Wed, 16 Jan 2008 08:41:53 -0600
- Cc: "Erling Ringen Elvsrud" <erlingre@xxxxxxxxx>, sage-members@xxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=bZTHPUR/6BoYvtHfrib37zyd+GW3o/8yA723f1h9WNQ=; b=nlckfSuWkEFUPMYk0CcdkiV7ZH3s/Vgn/AIxe8ukag5KswGghhGwTlkSypUztpWwSz8o5qP8wn1C8vMpMdt1HLWZSCiDSmyGPhvi1kETTzMuJ3XMBOc2VmV1/lfO6QPhq1gbD2y9kXG2Bp55DlW/KPnw02TxG9kdPkOZL9M4BbI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=NR4HkG8c9fBYRS9MOvPpGyUo9YBdUCbF+WZ9dXNyN7xfz6e8yru2fgXgkTysDO3vIcVq8ZX383seoDxrtIFDxhePC652pYBV29n4+oymtXKDgtFPAeeZHQ4LrFKpVtc53X13K9ENXhEzDVMqBL0vdGib3rH9WQWcujasHIquVQM=
- In-reply-to: <478CD966.1080903@xxxxxxxxx>
- References: <664c5a070801150350o531c2cdel4a8c57f55d6b63f9@xxxxxxxxxxxxxx> <fc6bb850801150721m7b661ed7l838810c7917b5636@xxxxxxxxxxxxxx> <478CD966.1080903@xxxxxxxxx>
- Sender: owner-sage-members@xxxxxxxxxx
On Jan 15, 2008 10:03 AM, Howard Chu <hyc@xxxxxxxxx> wrote:
> Nathan Hruby wrote:
> > Depending on your AD forest and how willing your AD admins are to
> > working with you, this is a perfectly viable option. Samba offers the
> > winbind daemon which can talk to AD, and in AD 2003-r2 they've fixed a
> > good number of the compatibility issues between windows and
> > non-windows hosts. There are also several companies that offer
> > integration solutions for Unix+AD.
>
> Yes, it can be made to work. But among all the things which AD does poorly
> (which is, most of them), LDAP authentication is one of the worst. I guess
> with only 200 active users you should be OK. (LDAP searching is pretty lame on
> AD too.)
LDAP on AD ain't the best, I agree. It works, but it's extra funky
(still, it's better than the LDAP provider Lotus Notes has :). That's
why I do suggest investigating winbind or one of the commercial
solutions as well as the standard LDAP or LDAP+krb method. Which way
works best for you will require some investigation, and it may be that
none work well. My point is that since it's possible and viable, it's
work a look and some experimentation to see if it's feasible for you
in your environment before building another silo.
>
> http://connexitor.com/blog/pivot/entry.php?id=185
>
> > I'll warn against "having another directory" unless you plan to keep
> > the two in-sync. Multiple identity stores in a large organization
> > never ends up helping.
>
> Agrred, but sometimes it's a necessary evil, until a better solution can be
> deployed. (Though as we all know, temporary stopgap measures have a tendency
> to become permanent...)
It a lot of cases, AD is the better solution simple because lots of
things work with it easily. If you work in an industry where 99% of
the applications your users need only run on Windows, other
alternatives tend to get expensive quickly just on interop costs
alone.
OTOH, I agree with you that sometimes you do need to end up running
Yet Another Directory Service because of the interop issues. I said
in the above "multiple identity stores" and I really don't know why I
said that, my apologies. I meant "multiple identities" -- meaning
that I believe you can have every single directory service ever
invented in your environment and have it work well, so long as the
identity information between them is consistently identical and that
consistency is achieved without user interaction.
Thanks,
-n
--
-------------------------------------------
nathan hruby <nhruby@xxxxxxxxx>
metaphysically wrinkle-free
-------------------------------------------