LDAP Arcane?
Dave Hull
dphull at insipid.com
Thu Nov 6 17:40:04 CST 2003
On Thu, 6 Nov 2003, Brian Densmore wrote:
> I didn't spend too much time on it though as I found LDAP to be
> to arcane. I'm not sure what you are looking to do, but why
> do you need Samba+PDC+LDAP. Why not just Samba? It's easy enough
> to set up that a 'secretary' could do it. Usually the simplest
> answer is the correct one. Don't add complexity unless you
> really need it. ;)
Actually many organizations are looking to directory services (LDAP) to
simplify and reduce complexity. We're implementing direcotry services in our
organization so that when a new hire comes on and HR enters that person's
information into the HR system, that data is automatically added to both
an Active Duhrectory for Exchange and Novell's eDirecotry so accounts are
automatically created on the file server.
Our networking folks have a directory project underway. Whereby, when a user
takes a laptop to a different location on the other side of campus and plugs
into the network a directory lookup is done for their MAC address and if it's
found, it also checks the directory for a host of information, like where
that user's normal subnet is and through the magic of dynamic VLANs, they will
actually be given their normal IP address if it's available, or a different IP
from their normal subnet.
LDAP is very useful for being able to keep all the information about a person
or object in one place, password(s), username, real name, phone number,
address, rights to other resources on the network, etc.
Under our current environment, we have an Exchange system and we have file and
print servers and we have additional resources that people need to
authenticate into. Currently we have no way to keep all of these resources in
synch so users may have one username and password for Exchange, another for
the file and print server and still another for additional resources.
Where we're heading is toward a "direcotry enabled" environment where a user
will have one username and one password in one directory (actually two that
are kept in synch) along with other information in the directory like what
resources they have access to, etc.
This "single sign-on" business makes me nervous frankly because it means if a
person cracks a single password, they'll be able to wreak havoc on multiple
systems, but alas I don't call the shots.
LDAP has a bright future. You might want to brush up on this arcane knowledge.
--
Dave Hull
http://insipid.com
"People should have access to the data which you have about them. There should
be a process for them to challenge any inaccuracies."
-- Arthur Miller
More information about the Kclug
mailing list