[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antwort: RE: Antwort: Simple binds authenticating against Kerberos
>> Documentation for this is indeed badly lacking, but I happen to have done it
>> recently, so let's document it here. :-)
>It is not documented because this practice is discouraged.
I realised this. However, I don't see any other possibility to design a centralised user/passwords repository that inherently offers a possibility for Single Sign On (kerberos, SASL/GSSAPI), while allowing the bunch of stupid programs (that we can not rewrite) do the simple bind, AND keep only one set of passwords.
Then again, maybe someone here knows a better solution to following problem:
****
What is a recomended configuration for an organisation that wants to gradually introduce an LDAP/Kerberos Single Sign On solution, but has to take care of the legacy programs that can only do simple binds against LDAP server?
****
>>Second possibility is to use SASL/GSSAPI. This means that you need to get
>>LDAP+SASL/GSSAPI + Kerberos working first.
>There is nothing to be gained from getting SASL/GSSAPI working when your goal
>is to perform Simple Binds. The two code paths are completely different;
>having one work gives you absolutely zero guarantee that the other will work.
Oh, I didn't realise this, thx for the clarification. In fact, this piece of info will help me a lot in troubleshooting the probles I have now. :-)
Anyway, my goal was to open up the door for "Single Sign On" by introducing the Kerberos authentication, and simple bind against kerberos is only a "legacy programs support" part of the picture. In fact, I don't see why anyone would introduce kerberos if he/she doesn't intend to use SASL/GSSAPI as well.
regards
Denis
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation
Dr. Denis Havlik, eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444 Phone: +43-1-79-585/6237
A-1030 Vienna Fax: +43-1-795-85/6584