Kyle Schmitt wrote:
> On Wed, Jun 18, 2008 at 6:38 PM, Clifford Heath <no / spam.please.net> wrote:
>> Without group memberships in the tickets, every service must keep
>> a separate access rights (authorization) database with an entry
>> for every user, or refer back to the Kerberos server whenever any
>> authorization question must be decided.

> Humm, I've never thought about it in that respect before.  But
> wouldn't the more appropriate thing be to have group memberships and
> service rights stored in the LDAP portion, and only use Kerberos for
> the authentication?

That requires my 2nd alternative, for each service to check group membership
by calling the LDAP server at every authorisation decision point. It's
hugely costly, and defeats the advantages of using a ticketing system in
the first place.

What AD does is to merge the LDAP and Kerberos services into one system,
which is smart since they really are tightly coupled. The group m'ships
in the tickets are fetched by Kerberos from the LDAP part during domain
logon. That itself is a very costly operation, since it involves calls
to other domains in the same domain tree, where relevant group membership
info may be stored. You definitely don't want this being done at every
decision point!

Clifford Heath.