Posted by: Administrator
on September 01, 2004 08:10 PM
Good article, asking good questions... I worked on a single-signon solution spanning Solaris 8, Solaris 9 and HPUX (using LDAPUX) that authenticated using LDAP + TLS. The vendors frankly told me they didn't think it was possible. It works, but its fragile and ugly.
You can find a 'least common denominator' LDAP schema to use that supports multiple vendors (rfc2307) that will provide basic authentication support, but like you pointed out finding enterprise support for netgroups, auto-mounting support, etc is a grab bag.
My company is 100% Linux and we ran into weird problems when we tested replacing NIS with LDAP. Things like KDE 3.2 blowing up when you exit because the kdm process doesn't recognize the return code related to pam_ldap, problems with certain applications supporting LDAP authentication with TLS, etc... I mean, authenticating LDAP basically passes user/pass in plan text, so TLS/SSL is an absolute requirement!
We also found problems with cross-distro support. We primarily use Debian around here, but we tried to integrate RHEL / SLES into the test lab and found just flakey blow-ups, seemingly random failed authentication, version conflicts, etc. I mean, NIS does suck, but at least its a functional single sign-on system.
Learn about Linux
Download Linux
Get Linux help
Couple of points
Posted by: Administrator on September 01, 2004 08:10 PMYou can find a 'least common denominator' LDAP schema to use that supports multiple vendors (rfc2307) that will provide basic authentication support, but like you pointed out finding enterprise support for netgroups, auto-mounting support, etc is a grab bag.
My company is 100% Linux and we ran into weird problems when we tested replacing NIS with LDAP. Things like KDE 3.2 blowing up when you exit because the kdm process doesn't recognize the return code related to pam_ldap, problems with certain applications supporting LDAP authentication with TLS, etc... I mean, authenticating LDAP basically passes user/pass in plan text, so TLS/SSL is an absolute requirement!
We also found problems with cross-distro support. We primarily use Debian around here, but we tried to integrate RHEL / SLES into the test lab and found just flakey blow-ups, seemingly random failed authentication, version conflicts, etc. I mean, NIS does suck, but at least its a functional single sign-on system.
My $0.02. Thanks for raising the issue!
DaGoodBoy
#