LDAP Arcane?

Dave Hull dphull at insipid.com
Thu Nov 6 17:40:04 CST 2003 

On Thu, 6 Nov 2003, Brian Densmore wrote:

> I didn't spend too much time on it though as I found LDAP to be
> to arcane. I'm not sure what you are looking to do, but why
> do you need Samba+PDC+LDAP. Why not just Samba? It's easy enough
> to set up that a 'secretary' could do it. Usually the simplest
> answer is the correct one. Don't add complexity unless you
> really need it.  ;)

Actually many organizations are looking to directory services (LDAP) to 
simplify and reduce complexity. We're implementing direcotry services in our 
organization so that when a new hire comes on and HR enters that person's
information into the HR system, that data is automatically added to both 
an Active Duhrectory for Exchange and Novell's eDirecotry so accounts are 
automatically created on the file server.

Our networking folks have a directory project underway. Whereby, when a user 
takes a laptop to a different location on the other side of campus and plugs 
into the network a directory lookup is done for their MAC address and if it's 
found, it also checks the directory for a host of information, like where 
that user's normal subnet is and through the magic of dynamic VLANs, they will 
actually be given their normal IP address if it's available, or a different IP 
from their normal subnet.

LDAP is very useful for being able to keep all the information about a person 
or object in one place, password(s), username, real name, phone number, 
address, rights to other resources on the network, etc.

Under our current environment, we have an Exchange system and we have file and 
print servers and we have additional resources that people need to 
authenticate into. Currently we have no way to keep all of these resources in 
synch so users may have one username and password for Exchange, another for 
the file and print server and still another for additional resources.

Where we're heading is toward a "direcotry enabled" environment where a user 
will have one username and one password in one directory (actually two that 
are kept in synch) along with other information in the directory like what 
resources they have access to, etc.

This "single sign-on" business makes me nervous frankly because it means if a 
person cracks a single password, they'll be able to wreak havoc on multiple 
systems, but alas I don't call the shots.

LDAP has a bright future. You might want to brush up on this arcane knowledge.

-- 
Dave Hull
http://insipid.com

"People should have access to the data which you have about them.  There should
 be a process for them to challenge any inaccuracies."
-- Arthur Miller

More information about the Kclug mailing list