[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Ldap as authentication system (based on RFC2307) - status

To: "Liste openldap" <openldap-software@OpenLDAP.org>, "Booker C. Bense" <bbense@networking.stanford.edu>
Subject: RE: Ldap as authentication system (based on RFC2307) - status
From: "Alexandre Ghisoli" <alexandre.ghisoli@ycom.ch>
Date: Tue, 16 Jan 2001 16:56:24 +0100
Importance: Normal
In-reply-to: <Pine.GSO.4.31.0101150831590.12800-100000@shred.stanford.edu>

Re to everybody,

Infos about my search / coding avencement:

1/ I need, to keept userPassword secret, to authenticate user on LDAP server
_before_ send an query for this user. This is not possible to do this with
actual login.c code. I've parsed this code, and there is no easy way to ask
for password before fetch the encrypted password.

2/ To solve 1/ issue, the only way is to make bind_ldap with admin login, so
it's possible to fetch userPassword at login.

3/ After modifing nss_ldap lib, it's not easy to fall to another
authentication system.

So, I plan :

./ Stat testing Kerberos, for *internal* needs.
./ keep user database on Ldap, with {MD5}userPassword for email / pop /
squid, but they can't logon on computers.

It's a good strutcure ?

Regards
		--Alexandre

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Booker C.
> Bense
> Sent: Monday, January 15, 2001 5:44 PM
> To: Alexandre Ghisoli
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Ldap as authentication system (based on RFC2307)
>
>
> On Sun, 14 Jan 2001, Alexandre Ghisoli wrote:
>
> > Hi there,
> >
> > I've read a lot of documentation, and take time to look at openldap mail
> > archive.
> > Now, I need to set up an real LDAP server for global auth system (login,
> > squid, apache, mail, ...).
>
> - Ldap in and of itself is IMHO not the best choice for
> authentication. It's fine for authorization and as a window into
> another authentication system.  It works best when it can piggy back
> on another authentication scheme.
>
> >
> > Proposal structure :
> > ./Slackware 7.1
> > ./OpenLDAP 2.0.7
> > ./nss_ldap
> > ./OpenSSL
> > ./SASL
> >
> > I realy don't need Kerberos or PAM.
>
> - Well, I think you do. If you want encryption your two choices
> are kerberos or SSL. From an infrastructure perspective there
> are many advantages to kerberos over SSL.
>
> >
> > So, I've setup nss_ldap, openldap and it's work. But, I need to keep
> > userPassword secret, so I've used "acces to attr=userPassword"
> directive in
> > sladp.conf, and it's work very well.
> > Now, how to setup a good crypto between client and openLDAP server ?
>
> - You need either kerberos or SSL do this.
>
>
> > And some needs :
> > ./ I've 200+ account setup in /etc/shadow, I need to keep passwd
> > ./ Slack uses an derived MD5 algo to create shadow passwd
>
> - If you add PAM, you won't need to keep the password in
> /etc/shadow. You'll still need to generate account entries.
>
>
> >
> > Please, could you give me experiences ?
> > What's the real utility of SASL ?
> >
>
> - SASL is a means of negociating the authentication
> method between client and server and whether
> that connection is encrypted or not. Outside of
> LDAP over ssl it is the only secure means of
> authenticating to an ldap server.
>
> - Booker C. Bense
>

References:
- Re: Ldap as authentication system (based on RFC2307)
  - From: "Booker C. Bense" <bbense@networking.stanford.edu>

Prev by Date: RE: Outlook Calendar?
Next by Date: Which version.
Index(es):
- Chronological
- Thread