[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: OpenLDAP and optional kerberos ?
From: Howard Chu <hyc () symas ! com>
Date: 2007-12-29 22:41:50
Message-ID: 4776CD2E.40501 () symas ! com
[Download RAW message or body]
Nicolas GRENECHE wrote:
> Hi all,
>
> I need tu replace an old NIS with a topnotch OpenLDAP server.
> I would like to add SSO support on my brand new architecture.
>
> 2 scenarii may occur :
> 1) Using pam_kerberos to authentaicate against KDC and retreiving
> information from LDAP server with SASL.
> The backward is that anyone (or anything) that need to authenticate MUST
> be kerberos aware.
You mean that any LDAP client must be Kerberos aware? Certainly clients don't
need to know anything about Kerberos for pam_kerberos to work. And Kerberos in
LDAP is just a matter of using SASL, the Kerberos details are handled by GSSAPI.
> 2) Having LDAP and Kerberos passwords synced.
> Asset : You can authenticate through LDAP or kerberos (pam_ldap required
> an pam_kerberos optional) ie you must authenticate against LDAP and if
> Kerberos autentication success you get a TGT !
> Backward : Two password databases to protect / lot of work on client
> side / passwords must be synced (Do you now materials to do it ?).
This doesn't seem to offer any actual benefits over (1). But as a matter of
course, I would use a Heimdal KDC backed by OpenLDAP, in which case there is
only one password database for both.
> I add that security is not a major concern for us and we got many OS on
> client side that's why the 1st solution may not fit our needs.
>
> Has someone ever experienced the second solution ?
> Have you some hints and feedbacks ?
>
> Thx,
>
> Nico
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic