[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kpasswd

To: Allan E Johannesen <aej@WPI.EDU>, Allan Streib <astreib@indiana.edu>
Subject: Re: kpasswd
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 16 Oct 2003 09:42:11 -0700
Cc: Frank Swasey <Frank.Swasey@uvm.edu>, Paul M Fleming <pfleming@siumed.edu>, openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <16270.41336.808858.102511@ccc3.WPI.EDU>
References: <Pine.LNX.4.58.0310160842510.1290@ybpnyubfg.ybpnyqbznva> <3CD59F46-FFDD-11D7-B9A5-000393033826@indiana.edu> <16270.41336.808858.102511@ccc3.WPI.EDU>

--On Thursday, October 16, 2003 9:47 AM -0400 Allan E Johannesen <aej@WPI.EDU> wrote:

"astreib" == Allan Streib <astreib@indiana.edu> writes:


astreib> Add my vote to keep it.  We use it, heavily.  We've found too
many astreib> clients either don't handle SASL or don't handle the GSSAPI
mechanism. astreib> Doing a simple bind over ssl/tls and providing a
kerberos password is astreib> a great alternative.  We're not interested
in doing having passwords astreib> anywhere but in Kerberos.

Yes, I use SASL/GSSAPI for automatic identification of ldap users for
those who have logged in to unix, who are using command lines to
reference the directory. When that feature came around I thought it was
really slick.

However, I've always used, and continue to need,

userPassword: {kerberos}user@domain

binding for various reasons.  e.g. across the web to the directory, that
authentication uses the ldap acl to show people different amounts of info
depending on whether they are a user or not.

I also used ldap for my primary authentication of web clients since
binding to ldap was so much more comprehensible to me than using kerberos.

If there is some way to influence ldap to use:

userPassword: {sasl, via kerberos}user@domain

which seems like it would remove the need for ldap to deal with kerberos
on its own, then that would be fine with me, but I don't know how to
accomplish that.

Well, it sounds like this feature may solve something that I've been wanting to do, which is allow mail clients to do authenticated lookups against our directory. We've implemented SASL/GSSAPI here @ Stanford, and it works wonderfully... I've never had problems with it working, just problems configuring it to work. After getting that resolved, I've not had issues with it. I'll be going down a new path now, investigating kpasswd over SSL for certain clients. ;)

In general, if you are looking at SASL/GSSAPI web authentication with usage on OpenLDAP, I'll note that Stanford has written a web authentication software package that was specifically designed so that it could be used by people other than Stanford for this type of authentication. See <http://webauthv3.stanford.edu> for more information if you are interested.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Re: kpasswd
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>
- Re: kpasswd
  - From: Allan E Johannesen <aej@WPI.EDU>

Prev by Date: defaultServerList: Attribute Type Undefined
Next by Date: Re: kpasswd
Index(es):
- Chronological
- Thread