[8777] in Info-AFS_Redistribution
Re: Delegate authentication to LDAP? (fwd)
daemon@ATHENA.MIT.EDU (Terry McCoy)
Fri Dec 21 10:13:30 2001
Date: Fri, 21 Dec 2001 10:07:07 -0500 (EST)
From: Terry McCoy <terry@nd.edu>
To: Peter.J.Scott@jpl.nasa.gov
cc: leifj@it.su.se, info-afs@transarc.com
Message-ID: <Pine.SOL.4.10.10112210957130.2480-100000@anubis.cc.nd.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Peter:
IMNSHO LDAP should delegate authentication to your Kerberos KDC (AFS ka
server, MIT KDC, Heimdal KDC). I think trying to sync passwords between
them is problematic.
We are currently doing that with iplanet and MIT K5 and previously
we had been doing that with iplanet and AFS ka server. I will see if
the developer here of these plugins will share his knowledge.
--
Terry McCoy email: terry@nd.edu
Sr Systems Engineer phone: (219) 631-4274
Office of Information Technologies
University of Notre Dame
---------- Forwarded message ----------
Date: Fri, 21 Dec 2001 09:51:38 +0100
From: Leif Johansson <leifj@it.su.se>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
Cc: info-afs@transarc.com
Subject: Re: Delegate authentication to LDAP?
Peter Scott wrote:
> Hello. We have upmteen enterprise services with separate
> authentication registries and hence passwords to remember, and in the
> selection of a common authentication registry, LDAP has won the
> battle. More third-party apps that we're interested in can be pointed
> at an LDAP server than at Kerberos; that's just the way it is.
>
> It would be nice to eliminate another password and have people's AFS
> passwords be their LDAP passwords. So the question is, is it possible
> to make either AFS delegate authentication to LDAP, or vice-versa?
> I've searched around and not come up with anything so far.
>
> The LDAP people would greatly prefer that AFS used them rather than
> the other way around. Just because I can't conceive of how this could
> be possible doesn't mean that someone a lot smarter than me hasn't
> figured out a way, so I'm asking. Can anyone point to an
> implementation that has managed to get either AFS to authenticate from
> LDAP or vice-versa?
> --
> Peter Scott
> Peter.J.Scott@jpl.nasa.gov
>
I use glue in my user maintenance code to keep my kerberos and ldap user
information in sync (including passwords). If you want
to try something really funky you can play with the ldap backend in
Heimdal which keeps your principals and keys in your ldap
directory. However (and I will say this only once) LDAP is not an
authentication service. I never was and it never will be. Your
safest bet is to maintain sync between your directory and Kerberos
service by out-of-band means.
Cheers Leif
