[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: RE: Antwort: Simple binds authenticating against Kerberos






>> Documentation for this is indeed badly lacking, but I happen to have done it
>> recently, so let's document it here. :-)

>It is not documented because this practice is discouraged.

I realised this. However, I don't see any other possibility to design a centralised user/passwords repository that inherently offers a possibility for Single Sign On (kerberos, SASL/GSSAPI), while allowing the bunch of stupid programs (that we can not rewrite) do the simple bind, AND keep only one set of passwords.


Then again, maybe someone here knows a better solution to following problem:

****
What is a recomended configuration for an organisation that wants to gradually introduce an LDAP/Kerberos Single Sign On solution, but has to take care of the legacy programs that can only do simple binds against LDAP server?
****

>>Second possibility is to use SASL/GSSAPI. This means that you need to get
>>LDAP+SASL/GSSAPI + Kerberos working first.

>There is nothing to be gained from getting SASL/GSSAPI working when your goal
>is to perform Simple Binds. The two code paths are completely different;
>having one work gives you absolutely zero guarantee that the other will work.

Oh, I didn't realise this, thx for the clarification. In fact, this piece of info will help me a lot in troubleshooting the probles I have now. :-)


Anyway, my goal was to open up the door for "Single Sign On" by introducing the Kerberos authentication, and simple bind against kerberos is only a "legacy programs support" part of the picture. In fact, I don't see why anyone would introduce kerberos if he/she doesn't intend to use SASL/GSSAPI as well.

regards
        Denis

T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                             eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444                       Phone: +43-1-79-585/6237          
A-1030 Vienna                                  Fax: +43-1-795-85/6584