[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)
Quanah Gibson-Mount wrote:
--On Wednesday, July 28, 2004 8:05 PM +0200 Jose Gonzalez Gomez
<jgonzalez@opentechnet.com> wrote:
I hope this helps to anyone trying to setup a Kerberos/OpenLDAP/SASL
server.
It probably does for those trying to run a KDC on top of OpenLDAP. It
kind of depends on what you want to do. We run an MIT KDC, and use
GSSAPI with OpenLDAP just fine. We simply configure PAM to authenticate
to the KDC for getting passwords, rather than going through LDAP. It
works quite well. We also have SSO throughout the university.
One feature that using pam_ldap in addition to pam_krb5 provides is the
opportunity to enforce password policy, and this is most easily
manageable when both LDAP and Kerberos are using the same authentication
database. That point was raised earlier in the thread but seems to have
been omitted from the summary.
Otherwise you're right, there's no pressing need to go this route.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support