[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pppd + pam

To: luci-discuss@luci.org
Subject: Re: pppd + pam
From: Jeff Licquia <jeff@licquia.org>
Date: 06 Mar 2003 15:14:13 -0500
In-Reply-To: <3E679F4D.7070104@cloudmaster.com>
Organization: Linux Users of Central Illinois
References: <3E667EF9.1090404@cloudmaster.com> <1046912950.6002.16.camel@server1.internal.licquia.org> <3E677150.2010901@cloudmaster.com> <1046977004.1086.51.camel@laptop2.internal.licquia.org> <3E679F4D.7070104@cloudmaster.com>
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

On Thu, 2003-03-06 at 14:19, Danny Sauer wrote:
> I dislike 
> LDAP for some reason.  I'm not sure why.

LDAP is different from most data servers; it's more like an object
database.  This can be somewhat interesting to wrap your brain around. 
Think of it as a Perl hash or a Python dictionary with an additional
hierarchical structure and the ability to query for objects by any
field.

The main advantage with LDAP is its extensibility.  If you want to
associate new data with objects in MySQL, you have to hack up your
schema, propagate the new structure, etc.  With LDAP, you just write a
new schema file, stick it in place, and start associating entries with
the new feature.

Case study: I set up LDAP to manage Internet stuff at a recent job. 
They wanted to allow Internet mail access, but they didn't want just
everyone on the Exchange server to get Internet E-mail; they wanted some
people to be on something like a mailing list, except that their
identity needed to be anonymized on outgoing mail, while others would
have traditional access.  So I just created mail group and mail user
schemas that did this, and hooked Postfix into the schemas (again, very
easy to do) so it did the right kinds of address rewriting, forwarding,
etc.  The LDAP management tools we had were able to handle these changes
very easily; one tool didn't need any code, and the other needed just a
little bit of UI logic.  Doing all of this with a SQL database would
have required a lot more custom code.

Also, the combination of LDAP and Kerberos is becoming something of a
standard now.  Even outside of the Microsoft juggernaut, it's a good
idea; no other seriously-used password scheme is as secure as Kerberos. 
(Of course, I don't condone MS's nasty extensions which tend to swallow
networks whole.)

Also, there's this: http://pgina.cs.plu.edu/.  That allows you to
authenticate on Windows 2000/XP through any authentication service that
has a plugin, whether or not it's running on W2K Server.  Unfortunately,
the only plugin available so far is for LDAP over SSL.
-- 
Jeff Licquia <jeff@licquia.org>

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- pppd + pam
  - From: Danny Sauer <cloudmaster@cloudmaster.com>
- Re: pppd + pam
  - From: Jeff Licquia <jeff@licquia.org>
- Re: pppd + pam
  - From: Danny Sauer <cloudmaster@cloudmaster.com>
- Re: pppd + pam
  - From: Jeff Licquia <jeff@licquia.org>
- Re: pppd + pam
  - From: Danny Sauer <cloudmaster@cloudmaster.com>

Prev by Date: Re: pppd + pam
Next by Date: RPM which prvides /dev/usbmouse
Prev by thread: Re: pppd + pam
Next by thread: Re: pppd + pam
Index(es):
- Date
- Thread