Hello PJ,
This is a good area to explore ... again,looking at the "level playing field" aspects ...
> It seems that Microsoft re-engineered the process of authenticating
> users which by-passed the "redirection" Novell had incorporated.
> There has been no mention anyplace that I can find that this
> increases security or adds any level of benefit to the end user.
So let's examine this a little bit. Novell found a way, that by simply copying a couple of files to the NT Server, you could completely redirect all security calls to another security database of your choice ... hmmm ... not a security hole? (Now you asked me to play devil's advocate here ...)
I can actually think of numerous ways to easily "exploit" this to redirect the security calls to either a fake database, or maybe to "stub out" the calls to just return with an ok ...
So what Microsoft created, was a situation where the admin of the NT Server really needs to secure their NT Server against the updating of these files. Now admitted in Novell's case, this is a huge benefit to many if NDS for NT is installed ... but the fact these files can be easily updated *can* be considered a security hole ...
> In fact, one article went so far as to mention it's possible that
> Microsoft did this to deflate Novell's NDS for NT product.
So this is where customers need to speak up, as they did when NDS for NT was introduced ... they need to indicate to Microsoft (with their check-books) where they demand compatibility and interoperability. And this is obviously where the two companies will "jockey for position" in trying to develop a solution which favors their direction ...
> Will Microsoft make this new security sub-system (and all APIs
> necessary) available via their MSDN network?
This *is* a good question ... because it starts to look at the industry as a whole. Will *all* companies release the necessary APIs that allow their security systems to be redirected to a competitors system? *That* is the real question ...
> This is not a conspiracy theory - it's a company protecting their
> new product right? And you know what? In any other case, it's good
> business. But when you are a monopoly, it's not - unless I've
> totally misunderstood the anti-trust laws as explained to me.
... does this mean that *any* company which does not release APIs to allow their security system to be redirected to a competitive system is in breach? I just want to under stand the anti-trust laws as you do ... ;-)
> ps - is it true that NDS has performance issues that will (in it's
> current iteration) limit the applications in which it can be used?
I'm not privy to any specific performance data of NDS. I've heard a lot of good comments about the NDS v8 performance, and have been impressed overall by the gains that I saw as an employee before leaving Novell.
One thing that I am a firm believer in is that the directory is *not* a replacement for a relational database. Each is optimized for different purposes. There is a very good article by Tim Howes, co-author of LDAP, in an older Data Communications:
data.com
I would suggest that this is a very well written article that outlines some expectations of directories ...
> For instance, I've heard that NDS is not ready for a real-time
> transactions-based application which requires speeds in the
> mainframe range - for instance - financial transactions - any
> thoughts there?
It's interesting ... this is one area that has many ways to solve the problem. High transaction rates in a partitioned, replicated directory can cause a lot of problems. Synchronization of data (keeping the values that are stored, in sync across multiple replicas) is a difficult problem. I like to try and keep things simple, and would usually opt-out of storing values like this in the directory, but instead would try to store a reference to a database or service designed for that purpose ...
For example, although I might be able to use the directory as a mail server (yes! I could design a schema and appropriate protocol gateways to implement a full mail server and store all the data in NDS!) I personally think this is kinda sick and twisted ... ;-)
Scott C. Lemon |
