[nylug-talk] LDAP server recommendations?
Michael B Allen
Tue Nov 14 12:29:25 EST 2006
On Tue, 14 Nov 2006 10:42:33 -0500
"R. Mariotti" <r.mariotti at fdcx.net> wrote:
> Thanks to all for the outstanding recommendations of OpenLDAP (2.3.3x)
> so I guess that settles it.
>
> Now, on to the single-signon part of the equation.
I would agree that OpenLDAP is the best option right now. My understanding
is the code used to be the pits but that it has come a long way
recently. I've looked at the code of OpenLDAP and Fedora Directory Server
and OpenLDAP wins.
Note however, that OpenLDAP (unlike FDS and AD) does not support
multimaster replication. That means that if your clients loose
communication with it they will not be able to do updates even if you
can communicate with a slave.
Also, wrt SSO, note that LDAP is not an authentication service. There
are a number of packages that try to use it as such but using ldap_bind
functions as a make shift authentication service is inappropriate and
insecure. You must use Kerberos for proper SSO at this time and Kerberos
and LDAP really have nothing to do with one another (aside from perhaps
using OpenLDAP as a backend for Heimdal which is becoming increasingly
popular).
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
More information about the nylug-talk
mailing list