Re: SASL and LDAP

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, February 03, 2004 5:43 PM +0530 Vikas Gandhi 
<VGandhi@quark.co.in> wrote:

> Hi All
>
> I have choosen Kerberos V5 for SSO. I have already tried gssapi samples
> for all the three OS and they work fine. So I know that my configuration
> has no such issues. My mission is to develop a generalised libraray so
> that I do not face any problem when I want to add certificate support/TLS
> to the server thru ldap.
>
> Question:->
> a) As my authentication servers(KDC) are more or less independent of
> directory services, am I forced to use authentication thru directory???
> i.e.
> clientapp --> LDAP --> SASL/GSSAPI --> KDC --> Tickets
> or
> clientapp --> SASL/GSSAPI --> KDC --> Tickets
> I am confused in the basic approaches????
>
> b) If I want to use thru directory then I suppose we have to use it as a
> plugins???? Or is there any other way.
>
> c) Can I use Cyrus SASL as a framework for authentication or not ????

Vikas,

At Stanford we have our KDC's separate from OpenLDAP.  The general method 
we use is that you get your K5 tickets during the login process, and then 
we connect to our LDAP servers to get passwd file information (in the case 
of posixAccount NIS replacement).  So yes, your authentication servers can 
be completely separate from the directory.

Our client apps use a utility called k5start to get tickets from the KDC. 
They then use those tickets to authenticate to the directory server to make 
their queries.

--Quanah



--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html