[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software

To: openldap-software@OpenLDAP.org
Subject: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
From: Turbo Fredriksson <turbo@bayour.com>
Date: 25 Jan 2001 15:35:50 +0100
Organization: LDAP expert wannabe
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

I've  been having OpenLDAP/PAM  authentication for  about a  year now,
with  very little trouble  (every now  and then  the server  dies, and
replication isn't so auto magic I'd hoped for).

I am now on the verge of the next big step, KERBEROS!

I post this  mail in the hopes that I will  understand better what I'm
about to do, and  to see if I am mixing things up, or  if I am way out
on the left field... :)


I am currently setting up Kerberos/PAM on my laptop/workstation/development
platform and so far so good... I have great hopes that this will work
just fine...


What   i   would   like,  in   the   end,   is   to  have   all   this
(OpenLDAP/Kerberos/QmailLDAP etc) as one.  That is, not two passwords,
but one...

Kerberos  between  the  OpenLDAP  master/replicas, kerberos  from  the
client  machines (using pam_ldap)  to the  OpenLDAP database,  and the
possibility to  have a 'single-sign-on' kind'a  system (using Kerberos
tickets).


That  is, _ALL_  communication  to the  OpenLDAP  database should  use
Kerberos.    That    include    QmailLDAP/Controls   doing    kerberos
authentication/encrypted communication to the OpenLDAP server.

Preferably the 'kerberosSecurityObject' objectclass (with the attribute
'krbName') should somehow be used in all this to...


* First question: IF I recompile OpenLDAP '--with-kerberos', how is the
  kerberos authentication/encryption done? Is it up to the client software
  to do the kerberos init?

* Second question: How do I combine OpenLDAP with (MIT) Kerberos?

* Third question: How do I make my client machines (from/via PAM I suppose)
  to use kerberos to the LDAP database?

* Fourth question: Since I'm doing round-robin to the LDAP database
  (currently only one master, and one replica but more replicas are planned),
  would that somehow disturb the 'Kerberos ticketing stuff' (sorry for the
  use of a bad word, but I'm just starting to learn about 'this Kerberos stuff'
  :).


Anything else that I might have overlooked, or should study closer? Is there
some kind of (mini/micro) HOWTO/FAQ that I can take a look at to understand
the issue(s) better?

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

Follow-Ups:
- Re: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
  - From: "Booker C. Bense" <bbense@networking.stanford.edu>
- Re: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Interaction between OpenLDAP and MSExchange D.S.
Next by Date: Help
Index(es):
- Chronological
- Thread