[28691] in Kerberos
Re: MIT Kerberos LDAP backend
daemon@ATHENA.MIT.EDU (Booker Bense)
Thu Nov 8 14:45:11 2007
From: bbense@telemark.slac.stanford.edu (Booker Bense)
Date: Thu, 8 Nov 2007 19:20:26 +0000 (UTC)
Message-ID: <fgvnhq$34k$2@news.Stanford.EDU>
X-Complaints-To: news@news.stanford.edu
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In article <mailman.84.1194545352.9118.kerberos@mit.edu>,
Mr J.A. Gilbertson <jgilbert@liverpool.ac.uk> wrote:
>On Thu, 8 Nov 2007, Ken Raeburn wrote:
>
>Do you know of any other method whereby we would be able to effectively
>let Kerberos delegate the authentication step to LDAP, and then carry on
>as if that part had been done itself?
>
All kerberos does is authentication. There have been some efforts
to use LDAP as the back end data store for a KDC, but I don't
know how successful they are. Doing it in a reasonably secure
fashion would also require some very careful work. I think the
heimdal code has some experimental support for this.
Most sites that use LDAP and Kerberos either use Active Directory ( which more
or less has this integration already) or use kerberos for
authentication and LDAP for authorization. There is a sync
process usually that creates accounts for users in both services.
I don't think there is really any practical way to use LDAP
username/password authentication inside of kerberos. Mostly since
the password never leaves the local machine in the kerberos
protocol.
There's a project out there that attempts to duplicate all of
Active Directory with open source software. I've forgotten the
name (padl.com ?), but you might look at that to understand
what's available and the underlying problem.
_ Booker C. Bense
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
