[31929] in Kerberos
Re: Kerberos & LDAP
daemon@ATHENA.MIT.EDU (Guillaume Rousse)
Sun Jan 17 06:50:29 2010
Message-ID: <4B52F97A.1010808@inria.fr>
Date: Sun, 17 Jan 2010 12:50:18 +0100
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <b39594bb1001152149u3cbbca9s7fb4fac721cdd1@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Le 16/01/2010 06:49, Prasad (普拉萨德) a écrit :> I am ok that we normally use the Kerberos to keep the password and LDAP is> just for authorization. But then if my DNS Goes down, then no one can login> to the system because Kerberos is highly dependent on the DNS and NTP.'Highly' is a bit over-exagerated here...
If your DNS goes down, your main problem is not autentication, it'sreaching the resource you're wanting to access, unless you're referingto local user autentication on a workstation. And if that's such aconcern, and your DNS is so fragile, nothing prevent you from hardcodingcritical resource adresses in /etc/hosts files.
And NTP is just a way to ensure various clock stay synchronizedpermanently. Unless you're using virtualisation technologies makingsystem clocks unreliable, computers don't drift so much to exceedmaximum kerberos time skew (which is configurable moreover) beforeseveral days usually.
-- BOFH excuse #445:
Browser's cookie is corrupted -- someone's been nibbling on it.________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
