[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenSSL + Kerberos + Cyrus-SASL + OpenLDAP
"Howard Chu" <hyc@symas.com> wrote:
>
Following-up to several at once, here...
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
> Gibson-Mount
[snip]
> >
> > What you gave was not a recommendation, it was a statement
> > that it wasn't
> > possible. Jim already noted he had a KDC.
Uhm... no? I'm buildin' the whole shootin' match from the start,
Quanah. (And I've only a vague notion of what the hell I'm doin',
too. I'm truly a n00b in the woods, here ;).)
> And storing your
> > krb tickets in
> > an ldap store seems rather the security risk to me.
Little as I understand atm: That makes sense to me. Kind of...
> > Obviously, how you
> > ultimately want to operate your services will affect how you
> > compile these
> > packages, as with any set of software packages you put together.
Of course.
>
> FWIW, we build in order BDB, OpenSSL, Heimdal, SASL, (libtool), LDAP. We then
> rebuild Heimdal's libhdb with LDAP enabled, for the KDC.
>
> Given the ephemeral nature of Kerberos tickets, and the fact that they are
> frequently associated with a single client address, I don't see much value in
> storing them in a distributed repository like LDAP. Not to mention the fact
> that you need some other kind of authentication scheme in place to gain
> access to LDAP. You have to draw a line somewhere, and it's silly to pull in
> more security packages to solve the chicken'n'egg problem.
The security issues aside (I have only a vague grasp of what Quanah was
talking about): The above is as good a reason as *I* need not to do
that.
Thanks for the comments, all. Really appreciated.
(Now I'm on to addressing what I should do about the fact that
Heimdal's configure doesn't notice I've got BDB installed in the
default: /usr/local/BerkeleyDB.4.1. So I'll just wait for my
heimdal-discuss subscription request to be approved, and resolve that
bit there. IIRC, from what I've heard in the past: I don't want to
rely on Sun's ndbm implementation.)
Oh btw, everybody: *Please* don't Cc: me when posting to the mailing
list? (That's why I set my Reply-To: to the list.) Thanks :).
--
Jim Seymour | Spammers sue anti-spammers:
jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund:
| http://www.spamcon.org/legalfund/