[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Synchronize LDAP with DCE ?
- Sorry about the previous new content free message.
Early morning pilot error...
On Fri, 25 Jun 1999, Kurt D. Zeilenga wrote:
> This might be of interest to some of you...
>
> (This is a modified copy of a reply I sent)
>
> Someone wrote:
> > I wrote:
> > > Someone else wrote:
> > > >I'd like to know if it is possible to bind to an entry in an LDAP database, with
> > > >password for binding obtained from an "external" source, e.g. NIS, DCE, etc.
> > > Yes, Kerberos.
> > But the DCE version we're using supports Kerberos V only. Will future version
> > of OpenLDAP support Kerberos V?
>
> Yes. In fact, you might be able to use OpenLDAP with KV today using KV's
> IV API support. Minor changes might be needed. And, of course, someone
> could (or likely has) extend the protocol to support a KV specific bind.
> But the future will be KV via SASL.
>
> > > One could also modify the code to support lookup via
> > > getpwent(), which on would give you /etc/passwd, NIS, PAM
> > > integration.
> > Yes, it works with minor modification.
>
> I was thinking someone could easily add support for to allow:
> dn: uid=foo,dc=bar
> objectclass: person
> objectclass: dcObject
> uid: foo
> userPassword: {unix}foo
>
> The server would key on {unix} method, the hash value "foo" is
> actually the user to look up...
>
> In fact, maybe kerberos should use this approach:
> userPassword: {kerberos}bjensen@umich.edu
>
> instead of using the krbName approach.
>
> Of course, someone might want to extend slapd to support multiple
> user passwords...
>
> Note: overloading userPassword with the kerberos may not actual be wise.
>
- IMHO, this is a really bad idea. One of the really nice advantages
of the current krbName approach is that it effectively gives you a
convient "group" or role mechanism. i.e. an ldap DN can have many
krbNames. Also, there are potential uses for krbName beyond kerberos
authentication.
- Overloading UserPassword with SASL mechanisms doesn't make
a whole lot of sense to me. Doing this kind of embedding makes
ACL's even more difficult. In this one case ( unix pwds ) I guess
it makes some sense, but as a general principal, I think it's a
REALLY BAD IDEA.
- Booker C. Bense