[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
- To: openldap-software@OpenLDAP.org
- Subject: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 25 Jan 2001 15:35:50 +0100
- Organization: LDAP expert wannabe
- User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7
I've been having OpenLDAP/PAM authentication for about a year now,
with very little trouble (every now and then the server dies, and
replication isn't so auto magic I'd hoped for).
I am now on the verge of the next big step, KERBEROS!
I post this mail in the hopes that I will understand better what I'm
about to do, and to see if I am mixing things up, or if I am way out
on the left field... :)
I am currently setting up Kerberos/PAM on my laptop/workstation/development
platform and so far so good... I have great hopes that this will work
just fine...
What i would like, in the end, is to have all this
(OpenLDAP/Kerberos/QmailLDAP etc) as one. That is, not two passwords,
but one...
Kerberos between the OpenLDAP master/replicas, kerberos from the
client machines (using pam_ldap) to the OpenLDAP database, and the
possibility to have a 'single-sign-on' kind'a system (using Kerberos
tickets).
That is, _ALL_ communication to the OpenLDAP database should use
Kerberos. That include QmailLDAP/Controls doing kerberos
authentication/encrypted communication to the OpenLDAP server.
Preferably the 'kerberosSecurityObject' objectclass (with the attribute
'krbName') should somehow be used in all this to...
* First question: IF I recompile OpenLDAP '--with-kerberos', how is the
kerberos authentication/encryption done? Is it up to the client software
to do the kerberos init?
* Second question: How do I combine OpenLDAP with (MIT) Kerberos?
* Third question: How do I make my client machines (from/via PAM I suppose)
to use kerberos to the LDAP database?
* Fourth question: Since I'm doing round-robin to the LDAP database
(currently only one master, and one replica but more replicas are planned),
would that somehow disturb the 'Kerberos ticketing stuff' (sorry for the
use of a bad word, but I'm just starting to learn about 'this Kerberos stuff'
:).
Anything else that I might have overlooked, or should study closer? Is there
some kind of (mini/micro) HOWTO/FAQ that I can take a look at to understand
the issue(s) better?
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden