[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenSSL + Kerberos + Cyrus-SASL + OpenLDAP



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

> --On Monday, October 13, 2003 5:18 PM -0400 Igor Brezac <igor@ipass.net>
wrote:
>
> > I stand by my recommendation.  Your advice assumes too many restrictions.
> > What if you do not have KDC, what if you want to store krb tickets in the
> > ldap store using heimdal apps, what if you want ldap and/or berkeley
> > support in sasl, etc...
>
> What you gave was not a recommendation, it was a statement
> that it wasn't
> possible.  Jim already noted he had a KDC.  And storing your
> krb tickets in
> an ldap store seems rather the security risk to me.
> Obviously, how you
> ultimately want to operate your services will affect how you
> compile these
> packages, as with any set of software packages you put together.

FWIW, we build in order BDB, OpenSSL, Heimdal, SASL, (libtool), LDAP. We then
rebuild Heimdal's libhdb with LDAP enabled, for the KDC.

Given the ephemeral nature of Kerberos tickets, and the fact that they are
frequently associated with a single client address, I don't see much value in
storing them in a distributed repository like LDAP. Not to mention the fact
that you need some other kind of authentication scheme in place to gain
access to LDAP. You have to draw a line somewhere, and it's silly to pull in
more security packages to solve the chicken'n'egg problem.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support