[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)

To: Andreas Schuldei <andreas@schuldei.org>
Subject: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 30 Jul 2004 09:28:56 -0700
Cc: Openldap list <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <20040730033646.GL2125@markus.schuldei.org>
References: <1EA0D424-E0E7-11D8-A4CF-000A959133A8@u.washington.edu> <Pine.LNX.4.58.0407290820350.2919@ybpnyubfg.ybpnyqbznva> <1091128959.10757.198.camel@localhost> <20040729215216.GG2125@markus.schuldei.org> <4C40C4835866B32082DA7733@cadabra-dsl.stanford.edu> <20040730033646.GL2125@markus.schuldei.org>

--On Friday, July 30, 2004 5:36 AM +0200 Andreas Schuldei <andreas@schuldei.org> wrote:

* Quanah Gibson-Mount (quanah@stanford.edu) [040730 01:14]:

We wrote our own utility that downloads the keys over an encrypted
channel  to the target system.  It validates the calls using the user's
Kerberos  principal.  It allows for multiple people to be on the ACL for
a keytab,  and it allows for multiple groups (which can contain multiple
people) to be  on the ACL for a keytab.


this does not solve the bootstrap problem, does it? for that the
key needs to get to the server at install (or configuration)
time.

This is really getting OT for OL, so please just email me directly on further responses. ;)

It does essentially, because our utility authenticates you to the KDC, and then downloads the key. You can then install the key at build time, or any other time you want to. Our internal build process puts in a startup script that prompts you to download the key when the system comes up from being built.

Your tool could solve this once the authenticy of the new machine
is established and kerberos is up and running. Could LDAP help me
do even the bootstraping in a secure fashion?

Hm, we assume the system is authentic, since the key download is restricted by user, rather than by system. We do require you to fill out a form requesting that we create the keytab for you on the server side of things, along with user(s) who can download the keytab. Our general Kerberos configuration requires forward/reverse DNS work for the system as well. There's nothing that I can see that you can do that will not require human interaction at some point to get the key onto the server.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Donn Cave <donn@u.washington.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Andreas Schuldei <andreas@schuldei.org>

Prev by Date: LDIF comments for referrals?
Next by Date: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
Index(es):
- Chronological
- Thread