What next? LDAP

[Felipe Alfaro Solana]

On 6/2/05, Nicolas Mailhot <Nicolas.Mailhot at laposte.net> wrote:
> > Single sign-on doesn't require a LDAP server, but some kind of central
> > identity magament which can be supplied by using a Kerberos V KDC like
> > the Kerberos V MIT implementation that comes in the form of krb5-*
> > packages for Fedora Core.
> 
> Kerberos is insufficient by itself.
> 9 times out of ten if you're interested in SSO you want at least a
> centralised adressbook too. The needs start snowballing pretty quickly.

Yeah, I know... I simply stated that LDAP isn't a requirement,
although it's pretty recommended. I have a small LAN at home and have
been using Kerberos without LDAP with no problems. However, SSO
without centralized identity management in SMEs can lead to serious
security and organizational headaches.

> The Microsoft implementation may be bad but they've understood the needs
> of small to big corporations pretty well (for huge corporations their
> offering does not scale but they'll be using their own ldap/kerberos
> combo anyway).

Microsoft implementation isn't that bad... what's bad is their
closed-mind approach to getting things out of the door and their
lock-in mentality. However, AD is a great idea and it's what we're
currently lacking.
> 
> An easy ldap/krb5 setup would be used starting from two computer
> networks. Only licensing and complexity have active directory start
> above SMEs.

> We need easy SSO, adressbook, network conf, ical, file sharing
> (thanksfully dhcp/dns, imap/smtp, ipp, http, sql and office software are
> well covered now)

Agree, but just make sure we don't make this a requisite: people
should still be able to work without this kind of integration, if they
wish.