Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)

[Howard Chu <hyc@symas.com>]

Andreas Schuldei wrote:
> * Tony Earnshaw (tonye@billy.demon.nl) [040729 22:20]:
>
> > Because this one chose Heimdal?

> can someone please comment on the MIT vs Heimdal question? i hear
> Heimdal is able to distribute principals and keys over ldap.

I don't think that's the main purpose of the LDAP-enabled KDC, but I 
guess as long as you don't use a master encryption key, it would work. 
Of course then you need to secure the LDAP sessions.

> We have a network with differnt services (imap, samba, soon AFS,
> ldap, terminal servers, ...) which would need own kerberos keys
> automatically.

> Using Heimdal and ldap would solve our distribution problem.
> But people tell me that this idea is against the spirit of
> kerberos. (An alternative idea for MIT Kerberos would be ssh keys
> without passphrases for every server and automatic distribution
> over ssh.)

And then you've solved your Kerberos key distribution problem by turning 
it into an ssh key distribution problem. Not exactly a step forward.

In all of the available security solutions you always have a 
bootstrapping problem. I guess using SSL may be the easiest approach - 
you can distribute the CA certificate over a cleartext session, and then 
use secure sessions from then on. This assumes that no one is spoofing 
your cleartext LDAP service and substituting their own CA cert in the 
stream, of course. Otherwise, the only sure way to bootstrap is to 
physically transport (e.g., CF or floppy disk) a trusted cert to every 
client machine and load it manually.
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support