[27052] in Kerberos
Kerberos Questions
daemon@ATHENA.MIT.EDU (Michael Stanton)
Thu Nov 16 15:00:31 2006
Message-ID: <20061116195951.50218.qmail@web81014.mail.mud.yahoo.com>
Date: Thu, 16 Nov 2006 11:59:51 -0800 (PST)
From: Michael Stanton <stantmk@pacbell.net>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm truly a noob when it comes to Kerberos so I apologize in advance if my questions do not make much sense. I'm looking to propose a recommendation for my company to implement Kerberos v5 authentication in combination with LDAP authorization. We are currently using Sun ONE Directory Server for simple bind authentication and authorization. I would like to know the following:
1) For web applications that currently rely upon LDAP for password info, it is my understanding that implementing Kerberos would require the password field for each user authenticating to the web app to be modified with an entry similar to the following: '{kerberos} joe@kerberosrealm.com,' at which point the Kerberos client would take over authentication. Is this a valid statement? Is it truly transparent to the web apps if the password mechanism is changed from simple bind to Kerberos?
2) Does SASL-GSSAPI using Kerberos provide me with any benefit other than enabling LDAP servers to securely authenticate with one another for replication purposes, or is it also the mechanism that enables the LDAP server to authenticate to KDC, similar to when a client using PAM_krb5 authenticates to KDC when requesting LDAP services ? Does anyone know if Sun One Directory 5.1 or 5.2 come with SASL-GSSAPI plug-in or would I need to purchase the PADL product?
3) Is anyone familiar with Turbo Fredriksson's document "Implementing LDAPv3: OpenLDAP, Kerberos v5 and glue code for distributed data?" Is this the best model for integrating LDAP and Kerberos v5?
Your comments to above are appreciated.
-Mike
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
