What is Digg?Sponsored by Travelzoo
All-time Low Fares for Thanksgiving, Christmas & New Year view!
travelzoo.com - Flights $52 and up. Nifty all-airline calendar identifies absolute cheapest dates to fly.
49 Comments
- jiminoc, on 01/18/2009, -0/+31this must be a fluke, digg hasn't had a technical article on the front page in months, only smashing magazine top 10 lists. It's a Christmas miracle!
- krellor, on 01/18/2009, -0/+21I don't remember that last time I found an actual technical on the digg front page. I'm genuinely surprised this one made it, but glad it did. Most setups that use LDAP seem to have pretty pathetic security as far as just letting anyone out there browse the structure, such as most AD implementations I have seen.
- aflat362, on 01/18/2009, -0/+15Well, I'm a programmer, not an AIX / Network admin but I can take a stab at it (the AIX or network admin would be more qualified to answer).
But anyway, to me it looks like a how-to guide to configure your AIX server (AIX is IBM's brand of UNIX) to talk to an LDAP Server.
An LDAP server is your network's repository of user IDs and groups. on Microsoft networks this would be called "Active Directory" maybe you've heard of it, maybe not.
Anyway, the end result is that people can log on to the AIX servers with their normal network ID instead of their AIX user ID so they only have to remember one password. - aguita, on 01/18/2009, -0/+14This is what Digg used to be about. I wish we'd get more Front Page stuff like this.
- Alias1431, on 01/18/2009, -0/+13Observer A is dead.
- DeathRay2K, on 01/18/2009, -0/+9Anyone care to explain for laymen what this is and means?
- inactive, on 01/17/2009, -1/+9This is a great article....Ironic that we were JUST talking about setting up a Kerberos LDAP slave ;-) Right in time digg!!
- DeathRay2K, on 01/18/2009, -0/+6I dugg you up because I assume you've got it right.
- hyankov, on 01/18/2009, -2/+6Kerberos is a lie... if you ever need to troubleshoot a kerberos configuration, you better commit suicide...
- KrayzieKyd, on 01/18/2009, -1/+5YOU don't belong here!
/chickendance - inactive, on 01/18/2009, -0/+4Ok, so basically - this article is telling server jerks how to use Tivoli and IBM NAS to create a highly available authentication/authorization environment. That way users dont call you saying stuff like "hey, I cant log in" or "i cant get into 'blah' for the last 20 min".
oh and "in before AD / ADAM fanboys" - hyankov, on 01/18/2009, -0/+3Kerberos is not about understanding. You can follow all the guidelines and your system may still not work. And worst thing is - you ask around, people tell you 'did you check this and that', 'yes' and then there is this silence as nobody really knows how to debug it.
This is one unfinished MIT project, that has been adopted just because there is no other double-hop problem solving protocol at the moment. - endus, on 01/18/2009, -1/+4LDAP in yo face.
- Durrok, on 01/18/2009, -0/+3*sniff* I miss you tech digg. ;(
- Barackalypse, on 01/18/2009, -1/+3Holy crap, there are officially as many in depth technical articles on the front page as Obama stories (but sadly, that number is less than the number of "Bush sucks" stories also on the front page).
- jeffness, on 01/18/2009, -0/+2top 10 reasons to configure kerberos ldap master slave configuration model.
- joshwehatetech, on 01/18/2009, -0/+2Hard to get excited about something that simply just works as it should and very easy as lateralus's comment indicates even though it is suppose to be sarcastic. Well that is until you do something to it and aren't familiar with FSMO roles or start having fun with ADSI Edit or some other tool.
- inactive, on 01/18/2009, -0/+210. You dont like getting user calls because the WAN team breaks an ATM right before lunch, and now your users cant bounce off the auth servers at corporate when they come back to their offices.
- lateralus, on 01/18/2009, -0/+1start, run, dcpromo.
I'm a sysadmin too!1!
//sarc - inactive, on 05/02/2009, -0/+1Yeah, it's great that it's all user generated content.
Thank you.
Sincerely,
Karoly Domonyi
http://www.ITHomeBusiness.com - krellor, on 01/18/2009, -0/+1Not having used it, I really can't say. I'm mostly familiar with enterprise AD implementations, which in my experience, are fairly poorly protected. My current employers implementation allows read access to the directory structure without any kind of authentication. This might not matter as much, except that some people then stick sensitive information out in it in comments fiends, etc... Also, in about 5 minutes I wrote a C# app that enumerates the AD and outputs a list of usernames. Useful if you work there, not something you should have if you don't. But, hey, why listen to the enterprise server support person? If they did that, they might get something done. :)
edit: And just to point out the relevance, AD can be easily browsed over ldap in case someone doesn't know. - krellor, on 01/18/2009, -0/+1Maybe I live in the sand, but I have yet to come across any AD fanboys. Then again, I don't get out much and I primarily work on z/os, so no reason I would.
- uRmyHartBstopR, on 01/18/2009, -0/+1I will try to do this with my ESL engrish:
LDAP is a centralized authentication system. Now a centralized authentication system is just to verify if you are in fact a user of that network/system. Like say my username uRmyHartBstopR is in the network so it check if it is in fact in it and if the password correct. If blahblah user which is some made up user tried to login and the user doesn't exist it just reject access to the network. So in centralized meaning regardless of your OS it can check the user. Compare to having a Window authentication & a Linux authentication and life being harder on sys admin.
Kerberos is a ticketing system. It gives out temporary certificate (ticket). Say you want a file from the network. The file is stored in a storage server (say server A). When your computer ask for the file, Kerberos will give you a time limited ticket. Kerberos tells server A about it. Your computer show the ticket to server A. Server A verified it with Kerberos server. If the ticket check out then you get the right to download the file from server A.
That's the gist of what I've done with it and learned from class. I know you can do LDAP for other stuff. - mooninite, on 01/18/2009, -0/+1I've taken a liking to Fedora Directory Server, which is the open sourcing of Red Hat Directory Server, which is an LDAPv3 server. It runs well and seems secure enough to me, but I'm just a n00b when it comes to LDAP.
- plaguepony, on 01/18/2009, -1/+2What about the LAPD master-slave relationship?
- inactive, on 01/18/2009, -0/+1WTF is Ur PBLM..?
- johndavidjack, on 01/18/2009, -0/+1It's not terrible difficult to setup kerberos for most services, with or without an easy button...
- Qumahlin, on 01/18/2009, -0/+1or a clear indicator that the internet is no longer "geeks" only and is widely accepted by the masses, hence why on a news conglomeration site visited by said masses you would not typically see articles catered to the "geek"
I see this same comment made on every news conglomeration site with the exception of fark, which has never attempted to cater to technical users. - Vosona, on 01/18/2009, -0/+1SO MANY ACRONYMS
- DouglasScott, on 01/18/2009, -0/+1OS X Server 10.5 has Kerberos authentication for almost every service. Including ftp, surprisingly. If you are running OS X you can see the client in System -> Library -> CoreServices -> Kerberos.
Nice to know there might be a way to scale it up. - heucuva, on 01/18/2009, -0/+1I wonder if IBM has had better luck getting Kerberos working than Microsoft. I poked around with it on Windows 2000 (when 2000 came out) and I was horribly confused by the seemingly-infinite recursion that the system required to authenticate; not to mention how horribly documented the setup for Kerberos on 2K was at the time...
Knowing what I know now compared to what I knew back in 1999 and including all of the improvements and new setup documents that are now available on the subject, I would still be likely to fantastically screw up the configuration of Kerberos. - inactive, on 01/18/2009, -0/+1Or use a bunch of applications / servers with even remote locations and still get a log in.
IE a server application in the US and a different server application in Australia could use an LDAP to create common accounts. It comes with CMS software too now like Joomla! So one could apply an LDAP to Joomla! CMS on GoDaddy in the US and have an Etrade shop in the UK while taking payments in Australia. As the user is logged in using LDAP and the sales data is XML everything will sync, most of the time...
(I hope that's correct, I am still yet to do this stuff) - Stonekeeper, on 01/18/2009, -0/+1SMA
- bdenning, on 01/18/2009, -0/+0LMAO! Digg effect FTW!
- lateralus, on 01/18/2009, -2/+2146 Diggs and IBM's site goes down. Did they sell their web servers to Lenovo too?
- aflat362, on 01/18/2009, -0/+0So are you a RACF fanboy?
- bdenning, on 01/18/2009, -2/+1In laymen's terms LDAP and Kerberos together basically give you most of what MS Active Directory provides.
LDAP stores you machine and user information (as well as anything else you wish to throw at it) in a database. Kerberos provides encryption across the network and handles the authentication side of things and determines what access users have.
--
Please note: Before I get flamed about how LDAP is an access protocol and not a database - remember this is layman's terms! - kanojo1969, on 01/18/2009, -1/+0I don't understand how this could become front-page. Don't get me wrong, I would rather read this than any of the usual *****. But seriously, how many people could understand what this means AND think it's worth telling others about?
The fact that something like this making the front page is so weird, is a sad indictment of the money-grubbing linkfarm ***** that is Digg in 2009. - SniperGX1, on 01/18/2009, -3/+2Same could be said for anything you don't understand...
- MikeOSX, on 01/18/2009, -3/+1Great, I was just wondering how I can hire some more slaves!
- snkscore, on 01/18/2009, -2/+0Get back to me when you have kissed a girl.
- DealBreaker86, on 01/18/2009, -4/+2The only reason this made it to the front page is because digg user recently got pwned by a reddit user irl. Now digg powerusers have some complexity that makes them want to impress reddit users, by i dunno.. actually having a technical article on the front page for once.. maybe?
- mehan, on 01/18/2009, -4/+1wat
- JacksonYaya, on 01/18/2009, -4/+0It's not like we didn't know this already.
- inactive, on 01/18/2009, -6/+0im watching trailer park boys
- BabyWookie, on 01/18/2009, -7/+1I don't speak Nerdish, so this is all very confusing to me.
- edud, on 01/18/2009, -8/+2Now that we have a black president, I find this talk about master & slave very offensive and antiquated.
- imalumberjak, on 01/18/2009, -11/+4This is definitely not user-friendly enough to be front page stuff.
- snkscore, on 01/18/2009, -8/+1Buried.
This doesn't belong here.
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is