Re: LDAP Authentification between Debian and Active Directory

[Adam Garside <asg@gimp.shacknet.nu>]

On Sat, Feb 12, 2005 at 06:11:51PM +0100, Mirko Lemke wrote:
> thx for this great tip. It's a interessting thing for other machines 
> that don't need LDAP authentification, but the most of our clients still 
> running woody.
You might possibly run a backport of the sarge/sid package(s) though I'll
leave that up to you whether the risk incurred is acceptible.

> Do you know if kerberos authentification is more securly than ldap?
> Must i have also the SFU-Servies on the windows domain-controller installed?
It is only as secure as the kerberos servers are. LDAP can be secure if
used over ssl. For kerberos authentication (and LDAP authentication only
for that matter) SFU is not required at all. We don't use it. In fact,
I'd very much like to fully integrate our systems with LDAP / NSS but
our Windows Administrators refuse to extend the LDAP schema to support
UNIX clients.

> In first of all we need LDAP authentification for other services like 
> ftp, http, php and so on. Thats why we also authentificate our users 
> with ldap.
Well, at least in AD, LDAP and Kerberos both pull from a single
datastore so accounts can be authenticated via Kerberos and LDAP.

-- asg