[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)



* Quanah Gibson-Mount (quanah@stanford.edu) [040730 01:14]:
> We wrote our own utility that downloads the keys over an encrypted channel 
> to the target system.  It validates the calls using the user's Kerberos 
> principal.  It allows for multiple people to be on the ACL for a keytab, 
> and it allows for multiple groups (which can contain multiple people) to be 
> on the ACL for a keytab.

this does not solve the bootstrap problem, does it? for that the
key needs to get to the server at install (or configuration)
time.

Debian-edu tries to be a key-turn educational system (for
schools) providing several services (optionally on different
servers). Adding new servers (e.g. terminal servers) to the
network would require to add the server to the domain which of
cause would require human admin interaction on the Main server
side (otherwise anyone could add his machine as a server). But
that should be minimal, manageable even for teachers.

Your tool could solve this once the authenticy of the new machine
is established and kerberos is up and running. Could LDAP help me
do even the bootstraping in a secure fashion?