Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: SV: [ActiveDir] Authenticate (and authorize) clients centrally...
Prev Next
You are not authorized to post a reply.

AuthorMessages
favvojohanUser is Offline

Posts:21

02/25/2010 3:44 PM  
Oh, that's scary! I agree time to move forward!!

I'm aware of AD uses a Kerberos implementation, therefore my e-mail :) What's the pros and cons with a native (say MIT) Kerberos implementation and an AD?

Do you mean that UNIX and Mac users don't want to change the way their managing their clients? Yes that is a issue. Though I don't think it's to big regarding authentication. If we're talking about managing the clients, it's a different story!

Ok interesting warning. Why should it be a big security risk to have them in the same forest? We have all students in the same domain as the employees. Were separate them with OU and security groups. The students are not allowed (through GPO) to login to employees computers. They are never granted any rights in the AD.

I think that if a student wanted to gain rights in the AD or on other computers he/she would need to take over a employees account (regardless if they're in the same AD or not) or computer (to get to the account).

/Johan

___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se

Från: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] För Paul Bergson (ALLETE)
Skickat: den 25 februari 2010 15:29
Till: activedir@mail.activedir.org
Ämne: RE: [ActiveDir] Authenticate (and authorize) clients centrally...

Active Directory (AD) uses a Kerberos implementation, is LDAP and maintains a 70% market share, so yes there are plenty of users around the world who are using AD. What I found out interesting last week is that the second largest share of the Directory Services market is held by........ NT. Wow! What are folks thinking that is one old piece of software, time to move forward.

Anyways, the biggest issue I can see you having is not being able to implement this since you should be able to authenticate your UNIX and Mac clients, but getting control of all the admins who are going to want to keep control of their little world. Since you are in a University setting I would also warn you to keep a separate forest between your students and any University data. Some of the smartest folks at your University are your students and they will attack any areas they find the least bit vulnerable.


Thanks

Paul


From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Johan Peterson
Sent: Thursday, February 25, 2010 4:12 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Authenticate (and authorize) clients centrally...

Hi all,

Today our authentication and authorization is spread through the university and many of the institutions and departments have their own account management and directories. We have authentication by Active Directory, Kerberos and LDAP, and authorization by Active Directory, LDAP and NIS. This is what I know about, I'm sure there are more!

We're trying to find a good way to minimize the needs for the institutions and departments to run their own account servers and directories. Centrally we have an Active Directory with all employees and students. All institutions and departments have their own ou with delegated permissions to take care of windows clients. We also have a LDAP with all employees and students.

My question is, does any of you authenticate and authorize windows, Linux, Unix and Mac clients centrally? In that case, how?

Is it good enough with an Active Directory to authenticate or is it better with a Kerberos? Pros/cons?

Thank you in advance!

/Johan
___
Johan Peterson
IT-Architect
Linköping University | LiU-IT
http://www.liu.se

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > SV: [ActiveDir] Authenticate (and authorize) clients centrally...



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:cajoe64
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5291
People OnlinePeople Online:
VisitorsVisitors:55
MembersMembers:0
TotalTotal:55
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use