Kyle Schmitt wrote: > On Wed, Jun 18, 2008 at 6:38 PM, Clifford Heath <no / spam.please.net> wrote: >> Without group memberships in the tickets, every service must keep >> a separate access rights (authorization) database with an entry >> for every user, or refer back to the Kerberos server whenever any >> authorization question must be decided. > Humm, I've never thought about it in that respect before. But > wouldn't the more appropriate thing be to have group memberships and > service rights stored in the LDAP portion, and only use Kerberos for > the authentication? That requires my 2nd alternative, for each service to check group membership by calling the LDAP server at every authorisation decision point. It's hugely costly, and defeats the advantages of using a ticketing system in the first place. What AD does is to merge the LDAP and Kerberos services into one system, which is smart since they really are tightly coupled. The group m'ships in the tickets are fetched by Kerberos from the LDAP part during domain logon. That itself is a very costly operation, since it involves calls to other domains in the same domain tree, where relevant group membership info may be stored. You definitely don't want this being done at every decision point! Clifford Heath.