Iain Morris wrote:
On Sat, Oct 2, 2010 at 7:29 PM, Craig White <craigwhite@azapple.com mailto:craigwhite@azapple.com> wrote:
---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.
Not to stray much further off the subject, nor defend AD much further on the CentOS list, but AD does a lot more than user/group auth. In fact it does everything in your list (DNS, mail access lists, etc), and quite a bit more out of the box.
Apple's Open Directory is a nice start, but pretty far behind in the race. In fact if I had a 1000 Mac installation, I'd rather build an AD domain and extend the schema to include the Apple attributes and use WG Manager for the Macs. I honestly believe Apple has put more engineering time into their AD plugin than their OD native interface.
For a mixed installation with a bunch of Windows boxes, you're probably not going to get away from AD, so you might as well leverage it. Honestly, its a pretty slick kerberos+LDAP+etc integration. There are a few things it does wrong, but trying to beat its manageability, replication, etc with openldap+mit-krb5 is _hard_.
You may get it working, but then someone has to support it down the line. :)
As for Apple's OpenDirectory, I would not inflict it on anyone I like or had to support. While 2/3rds of it is openldap+mit-krb5, the third leg is their own proprietary crap that is frail, prone to obscure failures, generally undocumented, stores all the password hashes in yet another database on the server, doesn't handle replication, and generally interferes with your life.
And NIS servers belong in a museum! :-)
Of bad ideas? :)