[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication/Authorization Recommendations

      Thanks for the response.  Generally, I'd agree with you on all
points.  However, limiting faster is equipment/software cost.  Most of the
budget given to this project was used in hardware purchase.  Yes, it is a
ridiculously small budget, and unreasonable demands, but when you're
dealing in an organization where IT decisions are made by doctors, and not
by technical professionals......

Thanks for the response though,
Jason McGlamary

Application Specialist
Division of Nursing - Nursing Informatics
Co-Chair WHC/NRH/IS Focus Forum
Washington Hospital Center
ph: 202-877-2243
pager: 202-474-8691
email: Jason.McGlamary@Medstar.net

                      Allan Streib                                                                                                  
                      <astreib@indiana.        To:       Jason.McGlamary@Medstar.net                                                
                      edu>                     cc:       openldap-software@OpenLDAP.org                                             
                                               Subject:  Re: Authentication/Authorization Recommendations                           
                      10/23/2003 10:20                                                                                              

With all due respect, if I were running an otherwise all-Windows shop,
and wanted a directory-based AuthN/AuthZ environment, I'd just use
Active Directory.  I mean why add management of Linux and Samba and
OpenLDAP and all that stuff on top of the Windows admin workload, and
have to deal with all the minor (and sometime not-so-minor) issues
you'll have trying to make that work with MS.  And if it doesn't work
you'll get no help from Microsoft.

Don't get me wrong, I like open source software and all, and if you
want to provide an LDAP directory service in a heterogeneous
environment, then what you're describing makes a lot more sense to me,
but it does not sound like that is what you're dealing with.

Also I'd get rid of the Win98.

Just my $0.02.


On Thursday, October 23, 2003, at 08:38 AM, Jason.McGlamary@Medstar.net

> Hello All,
>       First, I want to say that I understand I am probably asking for
> a lot
> in this message, so I apologize if it irritates anyone.  However, I'd
> really appreciate anyone who is willing to bear with me and offer some
> advice on the type of OpenLDAP configuration that would best suit my
> needs.
> I've read through all the list posts for the past several months, have
> checked the archives and the documentation.  I've been experimenting
> with
> the application with mostly successful results.  The part that still
> evades
> me is determining the best authentication and authorization mechanisms
> to
> use for my project.  With that in mind, the following are details on my
> project.
>       I have 2 file and DB servers installed with RH9 (1 is to provide
> redundancy).  I do not want to trust the company NT PDC for
> authentication
> to my servers, and would rather handle all
> authentication/authorization for
> our servers myself (mainly limited to a single division of the
> company).
> The environment for the whole house is Windows based (mostly Win98), so
> I'll need to be running Samba for the file sharing aspect.  Security
> from
> the outside world will be provided by the company firewall, but I
> believe
> I'd still prefer to secure all communications (no plaintext; passwords
> or
> otherwise).  I want OpenLDAP to provide authentication to my servers as
> well as manage groups for authorization to shares.  I'd like users to
> be
> able to manage their own passwords (securely), and all authorization
> handled by LDAP.
>       In short, my basic need is to determine how to best configure
> openldap for best security while maintaining easy account management
> for my
> users.  I do not really want to make my own PDC though as most docs
> dealing
> w/ Openldap and Samba together seem to lean towards.  The main area
> that's
> been boggling me thus far is the function of SASL, and how to choose a
> mechanism to use.
>       Looking back at this message, it seems to me there is probably a
> lot
> of area for confusion in my request.  If anyone out there is willing to
> offer me a clue, I'd be more than happy to expand further as much as
> you
> require.  Thanks for the patience.  LDAP very newbie.
> Hoping for a clue,
> Jason McGlamary
> Application Specialist
> Division of Nursing - Nursing Informatics
> Co-Chair WHC/NRH/IS Focus Forum
> Washington Hospital Center
> email: Jason.McGlamary@Medstar.net