[8779] in Info-AFS_Redistribution
Re: Delegate authentication to LDAP?
daemon@ATHENA.MIT.EDU (Bryan L.)
Fri Dec 21 14:35:56 2001
Message-ID: <20011221193107.81721.qmail@web10102.mail.yahoo.com>
Date: Fri, 21 Dec 2001 11:31:07 -0800 (PST)
From: "Bryan L." <bruinbryan@yahoo.com>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>, info-afs@transarc.com
In-Reply-To: <4.3.2.7.2.20011221093729.00b29860@mail2a.jpl.nasa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Hi Peter,
Your best bet might be to just create a plugin on the LDAP server to do AFS
or Kerboros authentication. I know iPlanet has a plugin mechanism that you
can use to do this, I've seen similar things done. OpenLDAP I'm not as sure
about but I'm sure it can be done as well. There are still issues with
passwords not being in LDAP but that is another problem..
--Bryan
--- Peter Scott <Peter.J.Scott@jpl.nasa.gov> wrote:
> At 07:02 PM 12/20/01 -0500, Derrick J Brashear wrote:
> > > The LDAP people would greatly prefer that AFS used them rather than
> the other way around.
> >
> >I bet. The other way around can be done by treating AFS passwords as
> >Kerberos passwords; OpenLDAP at least supports Kerberos authentication,
> >and you're done. Would that fit within the scope of what you need?
>
> It might well, subject to the actual workability of it when taking into
> account the cussedness of AFS Kerberos. The list may recall my recent
> and ongoing battles with the OpenSSH code. If it works when the rubber
> meets the road...
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
