[24595] in Kerberos
Re: is that common to use kerberos authentication for SUN iplanet
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Sep 3 21:21:51 2005
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Fri, 2 Sep 2005 21:17:36 +0100
Message-ID: <dfabtn$3ri$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
Errors-To: kerberos-bounces@mit.edu
Thank you
Markus
"Craig Huckabee" <huck@spawar.navy.mil> wrote in message
news:43183ECF.6050102@spawar.navy.mil...
>
>
> I'm sorry, I didn't make what we're doing clear. Our MIT KDC is our
> master for our realm, our AD domain trusts that realm. We
> add/modify/delete users on our MIT KDC & AD based on our LDAP directory.
>
> All of our user's passwords are kept solely by the KDC. The GSSAPI LDAP
> module also includes PAM functionality so our LDAP servers use pam_krb5 to
> authenticate - so no crypted password hashes in LDAP. When we push down
> the users to AD, we set the password field there to a long, random, good,
> password - the trust allows the users to authenticate solely from the MIT
> KDC.
>
> So, in the AD case, we just set the appropriate LDAP attribute for each
> user to the crypted passwd string. This user replication process is one
> of the many tools that uses Perl-LDAP & GSSAPI/SASL.
>
> Our tools we give our users to change their password (web based, Unix
> kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on
> the MIT KDC. Those tools use the standard library functions or the
> Windows equivalent.
>
> Now if only Microsoft would fix their PKINIT implementation so it would
> pass requests to trusted domains like the password functions do I'd be
> happy.
>
> Thanks,
> Craig
>
>
>
>
> Markus Moeller wrote:
>> To point 2) I would do the password change through Kerberos kpasswd or if
>> you need to do it as an admin I think there is also a function in the MIT
>> library to do so.
>>
>> Regards
>> Markus
>>
>> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message
>> news:43175FA9.9090008@spawar.navy.mil...
>>
>>>Markus,
>>>
>>> Two reasons:
>>>
>>> 1) We are working towards turning off non-SSL access to our Sun LDAP
>>> servers.
>>>
>>> 2) We ran into problems when talking to AD using Perl-LDAP/SASL
>>> without SSL. IIRC, we couldn't do a password change over a non-SSL
>>> port - AD spit back an error. Doing everything over SSL cleared up the
>>> problems.
>>>
>>>But, yes, in most cases we could just use one or the other.
>>>
>>>--Craig
>>>
>>>
>>>Markus Moeller wrote:
>>>
>>>
>>>>Craig,
>>>>
>>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
>>>>encryption too. What was the reason not to use SASL/GSSAPI with
>>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI
>>>>with encryption.
>>>>
>>>>Thanks
>>>>Markus
>>>>
>>>>"Craig Huckabee" <huck@spawar.navy.mil> wrote in message
>>>>news:4316DEC8.5060809@spawar.navy.mil...
>>>>
>>>>
>>>>>Kent Wu wrote:
>>>>>
>>>>>
>>>>>> So my question is that is it pretty easy to enable Kerberos for SUN
>>>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>>
>>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
>>>>> against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary
>>>>> versions they sold previously also use MIT Kerberos.
>>>>>
>>>>> We now have several processes that regularly use only GSSAPI/SASL over
>>>>> SSL to authenticate and communicate with LDAP. Works very well.
>>>>>
>>>>>HTH,
>>>>>Craig
>>>>>
>>>>>________________________________________________
>>>>>Kerberos mailing list Kerberos@mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list Kerberos@mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list Kerberos@mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos