directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Re: [Feedback needed] ADS pros and cons ?
Date Wed, 23 Jan 2008 19:03:01 GMT
Denis Cardon wrote:
>> Forgive me for correcting you here but ApacheDS has a DNS and Kerberos
>> service embedded inside.  ApacheDS is not only an LDAP server.
> thanks for the input, Emmanuel already briefed me on that and I expect 
> to roll out a test bench once I manage to get a few hours off.
Don't worry, we usually process mail FIFO, so Alex might have replied 
before having read my answer ;) Anyway, it's a good point that we are on 
the same page !

>> Also MS ActiveDirectory as a process just services LDAP requests (not 
>> fully
>> compliant but it works).  Another separate process actually handles the
>> Kerberos requests as the AS and TGTS.  Also the DNS service is a 
>> different
>> service as well.  So no MS ActiveDirectory is not all these things in 
>> one.
> Actually it is just a war of words. On its web site MS says (among 
> other things :-) "Active Directory provides: (...) Information 
> security and single sign-on for user access to network resources". So 
> I guess Kerberos is considered part of ActiveDS 
In fact, it's not. The kerberos service is run beside AD, and use AD as 
a repository (which makes sense). ADS kerberos server is on the opposite 
running on the same process than the LDAP server.

>> I think you might have been referring to a Windows 200X Server being
>> replaced by the components you listed?
> In my daily business I carry out migration to FOSS systems (both 
> servers and desktop/thin clients). Currently one of the unremoveble 
> piece of software in a Windows environnement is the Domain Controler 
> (unless it is NT4 based, which is still quite common in French SMBs).
> Many people asume that, because FOSS world provide first grade ldap 
> servers, it may be possible to replace an ActiveDS. I just wanted to 
> underline that it is not that simple...
Damn not ... Thanks to M$ AD which is not really LDAP compliant, and to 
the thousands of specific ObjectClasses and AttributeType they added to 
make it more dificult ;)

cordialement, regards,
Emmanuel L├ęcharny

View raw message