Spec for Kerberizing Ubuntu

Andrew Forgue forgue at oakland.edu
Thu Jul 14 09:19:16 CDT 2005 

Stephen Shirley wrote:

> Andrew Forgue wrote:
>
>> http://udu.wiki.ubuntu.com/KerberizingUbuntu.  It's just the starting
>
>
>> So if people could get a look over it and update, give me input or
>> anything else, I'd appreciate it.
>
>
> The last section seems to imply that LDAP is the favoured user info
> retrival method. Personally, i'm more of a fan of nss-mysql, as it's
> vastly less complex (at least IME). If there a particular reason why
> it's not considered?
>
> Steve
>

Short Answer: Because nobody likes MySQL (I kid, I kid!)

Long Answer:

Most businesses and universities, small, medium, large, etc already have
an LDAP infrastructure in place.  It's important to not force users to
implement something else.  In addition, Microsoft Active Directory is
based on LDAP and Kerberos and it's only a schema change to allow
libnss-ldap to get user information from it.  LDAP permissions are much
easier to manage than database table level permissions, in my
experience.  For instance, you can say that nobody is allowed to read
the 'mail' attribute for any user except their own entry.  This is to
comply with various .edu laws such as FERPA.  I'm not sure how you would
accomplish that with a database.  There's a lot of other things, such as
subtrees, referrals, and multi-valued attributes I'm sure that you could
do with a database, it's just a lot more difficult.  But perhaps the
most important reason is that almost everything that needs authenticated
access supports LDAP.  I can't think of very many things that support
MySQL (or any database) besides PAM, NSS and Apache.

I wouldn't say that LDAP is any less complex than a database repository,
but it's just more supported.  If it were decided to use a database
server for user information, which would be very unfortunate :D, I would
vehemently oppose MySQL in favor of PostgreSQL (Not that I have any
particular say in anything).

-- 
Andrew J. Forgue
Systems Programmer II :: Oakland University
forgue at oakland.edu 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050714/0f4a5a29/signature.pgp

More information about the ubuntu-devel mailing list