Pete
If you use AD for authenticating to Shibboleth from a device not owned
by your University/College you theoretically need to buy a Windows
Client Access Licence (CAL) for that device. Campus (MCA) only covers
you for using AD from insititionally owned devices. In reality it is not
practical to do this so Microsoft 'allow' you to by an external
connector licence. You would need to buy one for each of your domain
controllers (unless you configure LDAP to only use a subset of them).
They're not that expensive. It doesn't matter that you are using LDAP
rather than NTLM.
Some people have tried to argue that it is the Shibboleth server that is
doing the authentication and that you therefore only need to licence the
one device, i.e. the server. However this is called 'multiplexing' in MS
licensing parlance and is explicitly forbidden :-)
Cheers
Nigel
Nigel Bruce
Service Group Leader
Information Systems Services
University of Leeds
LEEDS, LS2 9JT
Tel. 0113 343 5384
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Steve Prentice
Sent: 29 April 2008 12:41
To: [log in to unmask]
Subject: Re: AD, IdPs and MS licensing
Hi Pete,
I just read your email with an interest and not sure if there were any
replies?
My assumption is that shibboleth (or the associated technologies running
an IdP) only use an LDAP lookup against AD, so wouldn't need any type of
licensing?
Cheers,
Steve
Richard Huish College
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Pete Lettin
Sent: 25 April 2008 09:44
To: [log in to unmask]
Subject: Re: AD, IdPs and MS licensing
Hi,
We are currently trying to install a shibboleth test server
authenticating against AD.
Did you ever get any information about MS licensing, do we need an
external connector license for shibboleth?
Pete :-)
Pete Lettin
Senior Network Engineer
Doncaster College
Please consider the environmental impact of needlessly printing this
e-mail
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions made are
solely those of the author and may not necessarily represent those of
Richard Huish College.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding,
printing or copying of this email is strictly prohibited. Please delete
it and advise the sender directly.
All email leaving and entering the College is electronically scanned for
viruses, SPAM, and other content that does not meet the College's
Acceptable Use Policy and may be automatically rejected or isolated for
inspection.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++
|