[8776] in Info-AFS_Redistribution
Re: Delegate authentication to LDAP?
daemon@ATHENA.MIT.EDU (Leif Johansson)
Fri Dec 21 04:01:28 2001
Message-ID: <3C22F81A.4020703@it.su.se>
Date: Fri, 21 Dec 2001 09:51:38 +0100
From: Leif Johansson <leifj@it.su.se>
MIME-Version: 1.0
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
CC: info-afs@transarc.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Peter Scott wrote:
> Hello. We have upmteen enterprise services with separate
> authentication registries and hence passwords to remember, and in the
> selection of a common authentication registry, LDAP has won the
> battle. More third-party apps that we're interested in can be pointed
> at an LDAP server than at Kerberos; that's just the way it is.
>
> It would be nice to eliminate another password and have people's AFS
> passwords be their LDAP passwords. So the question is, is it possible
> to make either AFS delegate authentication to LDAP, or vice-versa?
> I've searched around and not come up with anything so far.
>
> The LDAP people would greatly prefer that AFS used them rather than
> the other way around. Just because I can't conceive of how this could
> be possible doesn't mean that someone a lot smarter than me hasn't
> figured out a way, so I'm asking. Can anyone point to an
> implementation that has managed to get either AFS to authenticate from
> LDAP or vice-versa?
> --
> Peter Scott
> Peter.J.Scott@jpl.nasa.gov
>
I use glue in my user maintenance code to keep my kerberos and ldap user
information in sync (including passwords). If you want
to try something really funky you can play with the ldap backend in
Heimdal which keeps your principals and keys in your ldap
directory. However (and I will say this only once) LDAP is not an
authentication service. I never was and it never will be. Your
safest bet is to maintain sync between your directory and Kerberos
service by out-of-band means.
Cheers Leif
