[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: OpenLDAP and optional kerberos ?
From:       Howard Chu <hyc () symas ! com>
Date:       2007-12-29 22:41:50
Message-ID: 4776CD2E.40501 () symas ! com
[Download RAW message or body]


Nicolas GRENECHE wrote:
> Hi all,
> 
> I need tu replace an old NIS with a topnotch OpenLDAP server.
> I would like to add SSO support on my brand new architecture.
> 
> 2 scenarii may occur :
> 1) Using pam_kerberos to authentaicate against KDC and retreiving 
> information from LDAP server with SASL.
> The backward is that anyone (or anything) that need to authenticate MUST 
> be kerberos aware.

You mean that any LDAP client must be Kerberos aware? Certainly clients don't 
need to know anything about Kerberos for pam_kerberos to work. And Kerberos in 
LDAP is just a matter of using SASL, the Kerberos details are handled by GSSAPI.

> 2) Having LDAP and Kerberos passwords synced.
> Asset : You can authenticate through LDAP or kerberos (pam_ldap required 
> an pam_kerberos optional) ie you must authenticate against LDAP and if 
> Kerberos autentication success you get a TGT !
> Backward : Two password databases to protect / lot of work on client 
> side / passwords must be synced (Do you now materials to do it ?).

This doesn't seem to offer any actual benefits over (1). But as a matter of 
course, I would use a Heimdal KDC backed by OpenLDAP, in which case there is 
only one password database for both.

> I add that security is not a major concern for us and we got many OS on 
> client side that's why the 1st solution may not fit our needs.
> 
> Has someone ever experienced the second solution ?
> Have you some hints and feedbacks ?
> 
> Thx,
> 
> Nico


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]