Re: ACL/ACI && SASL

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, June 26, 2003 7:20 PM +0200 Turbo Fredriksson 
<turbo@bayour.com> wrote:

> > > > > > "Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:
>
>     Quanah> Hi Turbo, We've been running 2.1 in production since April
>     Quanah> of this year, and it has proven to be very stable.  We use
>     Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName
>     Quanah> to do the mappings you are talking about, which indeed
>     Quanah> allows us to have more flexible ACL's.
>
> Could you give me some ACL/ACI examples on how you have set it up?

Yes, but I'm on vacation the rest of this week, so it'll be on Monday.

>     Quanah> I will note that for the servers, you will want to compile
>     Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
>     Quanah> using threads, as your servers will not be stable
>     Quanah> otherwise. ;) For clients, it doesn't really matter too
>     Quanah> much.
>
> There's no WAY i'm switching to KTH kerberos! Not for 'sentimental' or
> or other 'strange' :) reasons. I'm not going to rebuild my WHOLE site,
> with lots of users, usage etc, etc. It will take WAY to much time, effort
> and most of all MONEY to switch.
>
> It's just not a viable option if you think of it...

You really missed what I'm saying on this.  There is no need to convert 
your cell, clients or anything else to Heimdal.  You just need to compile 
openldap against Heimdal for your servers instead of MIT.  We are a 99.99% 
MIT Kerberos implementation here at Stanford as well.  We use a MIT KRB5 
compiled version of OpenLDAP for clients of the servers.  On our servers 
themselves, all our login functions (login.krb, etc) are still MIT KRB5.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html