[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP in Production



On Wed, Feb 26, 2003 at 10:53:12AM -0800, Howard Chu wrote:
> > -----Original Message-----
> > From: dreamwvr@dreamwvr.com [mailto:dreamwvr@dreamwvr.com]
Howard;
> I haven't read it. Of course, these are the same folks who brought you the
> LDAP specification in the first place, so I'm sure it won't steer you wrong.
Appreciate that.  
> Hmmm... In general, Kerberos and certificate-based authentication are
> separate systems. You might be talking about Kerberos with the PK-Init
> extension, but that is still only an Internet Draft, not a finalized spec.
> For the most part, you use either Kerberos, or certificates, but not both at
> once.
OK. I was thinking. (perhaps too much. ) That it would be cool to 
auth using kerberos. But require as well for the SSL end of the 
equation the proper client certs. That way I had envisioned a 
client would..
present their proper client cert or be punted.. Saves a little on
establishing sessions that will never be around very long.
(if ok they would have their encrypted SSL session to heimdal over.)
even before they had actually authenticated to the REALM.  
This has been done already right? OR this is what the RFC is about.
In that case are their any stubs around?

TIA
Best Regards,
dreamwvr@dreamwvr.com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]