Authentication - Are you who you say you are? Authorization - Do you have access to this resource? Accounting - What did you do while you were connected to that resource.
Kerberos is usually tied in with the network file permissions, as well as single sign-on. If you start browsing windows shares in a domain from linux, you will have to supply credentials for each share each time you connect, then access is based off of those credentials. You can sign on using any valid username password combination. Using a windows PC, the credentials are sent for you (not actually, the computer is told to trust you. It's a lot more in depth, and a rather interesting read. Wikipedia it!). Based on that, you are allowed or denied.
That is very simplified, and not wholly accurate for brevity's sake. But I hope that it helps.
I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.
I could build it out of unicorn farts, I'm not arguing that. The fact remains that any of the Linux LDAP implementations are Directory Servers.
AD *can* store any arbitrary information with schema additions. So if you can query LDAP on the Linux side for window manager policy, and you can come up with a schema that represents that policy, go ahead, store it in AD. Mac people have been doing this for years, although Apple would prefer that you use their Open Directory system.
Again, I'm not disagreeing with you.
Also-- AD uses Kerberos. How do I know? Because I have Linux machines (MIT Kerb), OpenBSD machines (Heimdal), and Macs (MIT/Apple Kerb) all authenticating against our AD. There are some little oddities here are there (your machines have to support Microsoft's cipher-- which I believe is now installed by default on all recent Kerberos distributions), but in general, it works surprisingly well. For me, on Linux machines, the trick was learning the ins and outs of PAM and winbind. After that, it was easy.
And I'm sure that AD uses Kerberos as well. I've got stacks of books about it, traffic dumps, whatever you need. I've got more proof that AD uses Kerberos than people have that the moon landing was fake.
Anyway, if you're expecting LDAP to provide authentication, you're mistaken about the purpose of LDAP. Think of it as a fancy phone book. What you need are a lock and key. Also-- accounting? For that, you want a piece of logging software. Microsoft supplies all of these things neatly packaged together, and if you don't want to bother with the details, then it's a decent choice. But don't confuse the two, because LDAP only provides a subset of the services that AD does. Complaining that LDAP does a "shit job" at authentication and accounting is like complaining that your tires do a "shit job" of steering. Well, duh.
This is where I disagree with you. LDAP does a wonderful job of authentication. I know that it's not actually doing the authentication. When I was talking about LDAP, I pretty much meant an LDAP backend to a password system. What it doesn't do, and what I was replying to, was that, and I'll clarify so as to not confuse you again, an LDAP backend based password system does not provide the authorization portion of the three A's that are outlined and commonly required of any password system, without Kerberos as well. Yes, that goes for AD, but it's built in, so I'm discounting that. Most LDAP based auth systems that I have used, including AD, have very cryptic log messages. If I want to audit logging, it is a chore. In windows, you have to search for 670-something messages in the security log, then compare them to a chart to get anything meaningful. I have a copy of the chart right from MS's technet. It's there, why is it not in the details. For Linux based machines, grepping logfiles will get you results, maybe. If not, you're using the command line tools to see if you have valid tickets, etc.
The point I was making is that the OP was saying to throw out you active directory and authenticate all of your computers against LDAP, and I was pointing out that AD provided a lot more than just LDAP, that you have to configure more software to come close to the functionality of an LDAP backend to an authentication system, and even after that, you don't get the centralized management of group policy.
But thanks for the lesson on computers and auto mechanics. I'll treasure it.
Authenticating to a Linux LDAP server is nice for central authentication, but it misses out one of the A's completely, and does a shit job on the remaining one.
Authentication - Easy to do against LDAP. Authorization - Nope, not there, unless you're going to run Kerberos as well. Then you run into compatibility issues and integration nightmares.
Accounting - Horrible. Almost as unusable as the Event log.
Plus, you don't get any of the nice features of AD. Group policy is great for managing lots of computers and rolling out settings. Even after using KDE and their Kiosk tool, which can help you lock things down, I haven't found any out there that you can use that makes things easy.
Plus LDAP can be quite unwieldly. Have you ever built a forest across multiple geographic locations with LDAP? What about mult-master replication?
There are quite a few options for a drop-in exchange replacement. Scalix comes to mind.
HR/Accounting is coming along, as well as CRM and ERP. The main issue for HR/Accounting is that all the different tax tables needed for each year, each country, each state, etc. These cost money, and you want a throat to choke when they go bad.
But indeed, industry specific apps are needed. I worked at a logistics company, and the software was insanely expensive, very heavy on system and network requirements, and a monster to write reports for. There are no open source variants for it. If we were a larger company at the time, then we could have had a programming staff and develop one, but we weren't, so we didn't.
Also, we handled a lot of paper. Millions of sheets a year. Each one had to be scanned, indexed and saved. Barcoding was a must. There are no open source solutions for scanning large volumes of paper, and any that can do a medium load do not have a decent barcode engine. Again, with a programming staff, we could have made it work, but that one is a much bigger hurdle. You can't expect an open source dev to spend $5k on a document scanner just to write software for it.
There are a lot of vertical markets out there that need custom software written. QT4 is going to help. But convincing a company to become a software house as well takes a lot of work, especially if you tell them that you're going to give the software away afterwards.
Heh, I could have responded as an AC as well. So what if I didn't put a lot of thought into the name of a slashdot account. 'PunkOfLinux' is soooo much better. As is Mewshi.
Let me guess. You're a twenty-something web designer who can't even approach a girl. You're not a freak, you're just misunderstood. You like the emo scene, but you don't classify yourself as emo. You're not a closeted homosexual, but you have been mistaken as one.
You can't even post a proper insult. You stick to the tried and true "parent's basement", wapanese, and masturbation shtick. To top it all off, you use the word twat because you think that it makes you edgy, possibly because you've watched a few Guy Ritchie movies.
You sir, if you're even old enough to be called that, are merely a whelp who thinks that you're special because bad things happened to people you know. Guess what. Nobody fucking cares. Now crawl back into that two-bedroom apartment and let the adults talk.
... seems every couple of weeks you hear about a drunk driver who whanged into some poor bastard's minivan and killed people, but walked away without a scratch on themselves.
Ergo, evolution wants us to be drunks. You wouldn't happen to have a Ph.D., would you? Because I really could use a doctor's note.
I'm really not interested in their answer. I just want to create a prison planet. Although, with the enhanced gravity, they would evolve much stronger than us here.
It is my understanding that the name implies the end result and not the range. Place yourself three feet in front of it, and see if you live. Then cast judgment.
to go through my porn folders to tell me if I am breaking the law or not.
And before anyone here volunteers, you're going to need a fuckton of kleenex, eyebleach and anti-psychotic medication just to get through the folder names.
Slashdot Mirror
Authentication - Are you who you say you are?
Authorization - Do you have access to this resource?
Accounting - What did you do while you were connected to that resource.
Kerberos is usually tied in with the network file permissions, as well as single sign-on. If you start browsing windows shares in a domain from linux, you will have to supply credentials for each share each time you connect, then access is based off of those credentials. You can sign on using any valid username password combination. Using a windows PC, the credentials are sent for you (not actually, the computer is told to trust you. It's a lot more in depth, and a rather interesting read. Wikipedia it!). Based on that, you are allowed or denied.
That is very simplified, and not wholly accurate for brevity's sake. But I hope that it helps.
I hate to break it to you, but LDAP is not a directory system. It is a directory protocol. AD provides an LDAP interface. So your directory system can be structured and provide storage in the backend pretty much any way you want. Microsoft, for instance, uses Jet for storing their data, and X.500 for structuring it. But if you wanted to build your directory using post-it notes and robot, then fine, as long as you provide an LDAP interface, you're an LDAP directory.
I could build it out of unicorn farts, I'm not arguing that. The fact remains that any of the Linux LDAP implementations are Directory Servers.
AD *can* store any arbitrary information with schema additions. So if you can query LDAP on the Linux side for window manager policy, and you can come up with a schema that represents that policy, go ahead, store it in AD. Mac people have been doing this for years, although Apple would prefer that you use their Open Directory system.
Again, I'm not disagreeing with you.
Also-- AD uses Kerberos. How do I know? Because I have Linux machines (MIT Kerb), OpenBSD machines (Heimdal), and Macs (MIT/Apple Kerb) all authenticating against our AD. There are some little oddities here are there (your machines have to support Microsoft's cipher-- which I believe is now installed by default on all recent Kerberos distributions), but in general, it works surprisingly well. For me, on Linux machines, the trick was learning the ins and outs of PAM and winbind. After that, it was easy.
And I'm sure that AD uses Kerberos as well. I've got stacks of books about it, traffic dumps, whatever you need. I've got more proof that AD uses Kerberos than people have that the moon landing was fake.
Anyway, if you're expecting LDAP to provide authentication, you're mistaken about the purpose of LDAP. Think of it as a fancy phone book. What you need are a lock and key. Also-- accounting? For that, you want a piece of logging software. Microsoft supplies all of these things neatly packaged together, and if you don't want to bother with the details, then it's a decent choice. But don't confuse the two, because LDAP only provides a subset of the services that AD does. Complaining that LDAP does a "shit job" at authentication and accounting is like complaining that your tires do a "shit job" of steering. Well, duh.
This is where I disagree with you. LDAP does a wonderful job of authentication. I know that it's not actually doing the authentication. When I was talking about LDAP, I pretty much meant an LDAP backend to a password system. What it doesn't do, and what I was replying to, was that, and I'll clarify so as to not confuse you again, an LDAP backend based password system does not provide the authorization portion of the three A's that are outlined and commonly required of any password system, without Kerberos as well. Yes, that goes for AD, but it's built in, so I'm discounting that. Most LDAP based auth systems that I have used, including AD, have very cryptic log messages. If I want to audit logging, it is a chore. In windows, you have to search for 670-something messages in the security log, then compare them to a chart to get anything meaningful. I have a copy of the chart right from MS's technet. It's there, why is it not in the details. For Linux based machines, grepping logfiles will get you results, maybe. If not, you're using the command line tools to see if you have valid tickets, etc.
The point I was making is that the OP was saying to throw out you active directory and authenticate all of your computers against LDAP, and I was pointing out that AD provided a lot more than just LDAP, that you have to configure more software to come close to the functionality of an LDAP backend to an authentication system, and even after that, you don't get the centralized management of group policy.
But thanks for the lesson on computers and auto mechanics. I'll treasure it.
NTLM or NT LanMan
Authenticating to a Linux LDAP server is nice for central authentication, but it misses out one of the A's completely, and does a shit job on the remaining one.
Authentication - Easy to do against LDAP.
Authorization - Nope, not there, unless you're going to run Kerberos as well. Then you run into compatibility issues and integration nightmares.
Accounting - Horrible. Almost as unusable as the Event log.
Plus, you don't get any of the nice features of AD. Group policy is great for managing lots of computers and rolling out settings. Even after using KDE and their Kiosk tool, which can help you lock things down, I haven't found any out there that you can use that makes things easy.
Plus LDAP can be quite unwieldly. Have you ever built a forest across multiple geographic locations with LDAP? What about mult-master replication?
Your high UID belies your age. Ah fond memories of that, and the rest of the Schoolhouse Rock cartoons.
And I preferred Consumption Junction, but it went to a pay site.
There are quite a few options for a drop-in exchange replacement. Scalix comes to mind.
HR/Accounting is coming along, as well as CRM and ERP. The main issue for HR/Accounting is that all the different tax tables needed for each year, each country, each state, etc. These cost money, and you want a throat to choke when they go bad.
But indeed, industry specific apps are needed. I worked at a logistics company, and the software was insanely expensive, very heavy on system and network requirements, and a monster to write reports for. There are no open source variants for it. If we were a larger company at the time, then we could have had a programming staff and develop one, but we weren't, so we didn't.
Also, we handled a lot of paper. Millions of sheets a year. Each one had to be scanned, indexed and saved. Barcoding was a must. There are no open source solutions for scanning large volumes of paper, and any that can do a medium load do not have a decent barcode engine. Again, with a programming staff, we could have made it work, but that one is a much bigger hurdle. You can't expect an open source dev to spend $5k on a document scanner just to write software for it.
There are a lot of vertical markets out there that need custom software written. QT4 is going to help. But convincing a company to become a software house as well takes a lot of work, especially if you tell them that you're going to give the software away afterwards.
Heh, I could have responded as an AC as well. So what if I didn't put a lot of thought into the name of a slashdot account. 'PunkOfLinux' is soooo much better. As is Mewshi.
And speaking of immigrating to japan, http://www.mewshi.com/test/index.php?page=imagedisplay&gallery=Colored&image=ghost
Nice little manga picture. A budding young artist?
Let me guess. You're a twenty-something web designer who can't even approach a girl. You're not a freak, you're just misunderstood. You like the emo scene, but you don't classify yourself as emo. You're not a closeted homosexual, but you have been mistaken as one.
You can't even post a proper insult. You stick to the tried and true "parent's basement", wapanese, and masturbation shtick. To top it all off, you use the word twat because you think that it makes you edgy, possibly because you've watched a few Guy Ritchie movies.
You sir, if you're even old enough to be called that, are merely a whelp who thinks that you're special because bad things happened to people you know. Guess what. Nobody fucking cares. Now crawl back into that two-bedroom apartment and let the adults talk.
Aww, somebody have someone close to them killed by a little old drunk driver?
Maybe had they been drinking too, they'd have made it out unhurt.
Go fuck yourself right back. I could care less about you. Why don't you try crying on Dr. Phil's shoulders.
... seems every couple of weeks you hear about a drunk driver who whanged into some poor bastard's minivan and killed people, but walked away without a scratch on themselves.
Ergo, evolution wants us to be drunks. You wouldn't happen to have a Ph.D., would you? Because I really could use a doctor's note.
One open to the public, with sharpened stick rental nearby.
He got tired of having his box filled with unsolicited male?
(Shamelessly stolen from Fark)
Judging by the shoddy code, maybe Microsoft floated more than just a letter around. Perhaps code snippets?
into a huge cache on the drive don't get written permanently if the power quits? Why didn't somebody tell me about this before?
I'm really not interested in their answer. I just want to create a prison planet. Although, with the enhanced gravity, they would evolve much stronger than us here.
Okay, let's fill it up with athletes.
Fire off a bunch of rockets filled with Prisoners.
Call it the S.S. Botany Bay, and give them a radio to let us know how it all works out for them.
If there is one thing that is guaranteed in life, it is stupidity. Count on that, and remove the other vectors.
It is my understanding that the name implies the end result and not the range. Place yourself three feet in front of it, and see if you live. Then cast judgment.
It's time to change distro's. It hurts at first, but just looking a the new OS will increase your uptime.
Plus it doesn't bitch at you every time that you want to do something even remotely dangerous.
It's not a wife, it's a Jewish mother.
it's expensive, but it's worth it.
Obviously a 1-15 person gamut. Anything else would require more gamut-runners.
because they'll find a way to text for less than what they're paying now.
They're using them and a bunch of XBoxes to create a supercomputer possible of calculating what wacky thing the president is going to do next.
to go through my porn folders to tell me if I am breaking the law or not.
And before anyone here volunteers, you're going to need a fuckton of kleenex, eyebleach and anti-psychotic medication just to get through the folder names.