[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication/Authorization Recommendations

To: Jason.McGlamary@Medstar.net
Subject: Re: Authentication/Authorization Recommendations
From: Allan Streib <astreib@indiana.edu>
Date: Thu, 23 Oct 2003 09:20:55 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <OF3E5337C7.23830DE5-ON85256DC7.004C26A0-85256DC8.004AE980@medstar.net>

With all due respect, if I were running an otherwise all-Windows shop, and wanted a directory-based AuthN/AuthZ environment, I'd just use Active Directory. I mean why add management of Linux and Samba and OpenLDAP and all that stuff on top of the Windows admin workload, and have to deal with all the minor (and sometime not-so-minor) issues you'll have trying to make that work with MS. And if it doesn't work you'll get no help from Microsoft.

Don't get me wrong, I like open source software and all, and if you want to provide an LDAP directory service in a heterogeneous environment, then what you're describing makes a lot more sense to me, but it does not sound like that is what you're dealing with.

Also I'd get rid of the Win98.

Just my $0.02.

Allan

On Thursday, October 23, 2003, at 08:38 AM, Jason.McGlamary@Medstar.net wrote:

Hello All, First, I want to say that I understand I am probably asking for a lot in this message, so I apologize if it irritates anyone. However, I'd really appreciate anyone who is willing to bear with me and offer some advice on the type of OpenLDAP configuration that would best suit my needs. I've read through all the list posts for the past several months, have checked the archives and the documentation. I've been experimenting with the application with mostly successful results. The part that still evades me is determining the best authentication and authorization mechanisms to use for my project. With that in mind, the following are details on my project.

I have 2 file and DB servers installed with RH9 (1 is to provide redundancy). I do not want to trust the company NT PDC for authentication to my servers, and would rather handle all authentication/authorization for our servers myself (mainly limited to a single division of the company). The environment for the whole house is Windows based (mostly Win98), so I'll need to be running Samba for the file sharing aspect. Security from the outside world will be provided by the company firewall, but I believe I'd still prefer to secure all communications (no plaintext; passwords or otherwise). I want OpenLDAP to provide authentication to my servers as well as manage groups for authorization to shares. I'd like users to be able to manage their own passwords (securely), and all authorization handled by LDAP.

In short, my basic need is to determine how to best configure openldap for best security while maintaining easy account management for my users. I do not really want to make my own PDC though as most docs dealing w/ Openldap and Samba together seem to lean towards. The main area that's been boggling me thus far is the function of SASL, and how to choose a mechanism to use.

Looking back at this message, it seems to me there is probably a lot of area for confusion in my request. If anyone out there is willing to offer me a clue, I'd be more than happy to expand further as much as you require. Thanks for the patience. LDAP very newbie.
Hoping for a clue,
Jason McGlamary
Application Specialist
Division of Nursing - Nursing Informatics
Co-Chair WHC/NRH/IS Focus Forum
Washington Hospital Center
email: Jason.McGlamary@Medstar.net

References:
- Authentication/Authorization Recommendations
  - From: Jason.McGlamary@Medstar.net

Prev by Date: Adding entry problem
Next by Date: Re: Authentication/Authorization Recommendations
Index(es):
- Chronological
- Thread