[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Synchronize LDAP with DCE ?



- Sorry about the previous new content free message. 
Early morning pilot error... 

On Fri, 25 Jun 1999, Kurt D. Zeilenga wrote:

> This might be of interest to some of you...
> 
> (This is a modified copy of a reply I sent)
> 
> Someone wrote:
> > I wrote:
> > > Someone else wrote:
> > > >I'd like to know if it is possible to bind to an entry in an LDAP database, with
> > > >password for binding obtained from an "external" source, e.g. NIS, DCE, etc.
> > > Yes, Kerberos.
> > But the DCE version we're using supports Kerberos V only.  Will future version
> > of OpenLDAP support Kerberos V?
> 
> Yes.  In fact, you might be able to use OpenLDAP with KV today using KV's
> IV API support.  Minor changes might be needed.  And, of course, someone
> could (or likely has) extend the protocol to support a KV specific bind.
> But the future will be KV via SASL.
>
> > > One could also modify the code to support lookup via
> > > getpwent(), which on would give you /etc/passwd, NIS, PAM
> > > integration. 
> > Yes, it works with minor modification.
> 
> I was thinking someone could easily add support for to allow:
> 	dn: uid=foo,dc=bar
> 	objectclass: person
> 	objectclass: dcObject
> 	uid: foo
> 	userPassword: {unix}foo
> 
> The server would key on {unix} method, the hash value "foo" is
> actually the user to look up...
> 
> In fact, maybe kerberos should use this approach:
> 	userPassword:	{kerberos}bjensen@umich.edu
> 
> instead of using the krbName approach.
> 
> Of course, someone might want to extend slapd to support multiple
> user passwords...
> 
> Note: overloading userPassword with the kerberos may not actual be wise.
> 

- IMHO, this is a really bad idea. One of the really nice advantages
of the current krbName approach is that it effectively gives you a 
convient "group" or role mechanism. i.e. an ldap DN can have many 
krbNames. Also, there are potential uses for krbName beyond kerberos
authentication. 

- Overloading UserPassword with SASL mechanisms doesn't make 
a whole lot of sense to me. Doing this kind of embedding makes
ACL's even more difficult. In this one case ( unix pwds ) I guess
it makes some sense, but as a general principal, I think it's a 
REALLY BAD IDEA. 

- Booker C. Bense