Re: Ldap as authentication system (based on RFC2307)

["Booker C. Bense" <bbense@networking.stanford.edu>]

On Sun, 14 Jan 2001, Alexandre Ghisoli wrote:

> Hi there,
>
> I've read a lot of documentation, and take time to look at openldap mail
> archive.
> Now, I need to set up an real LDAP server for global auth system (login,
> squid, apache, mail, ...).

- Ldap in and of itself is IMHO not the best choice for
authentication. It's fine for authorization and as a window into
another authentication system.  It works best when it can piggy back
on another authentication scheme.

>
> Proposal structure :
> ./Slackware 7.1
> ./OpenLDAP 2.0.7
> ./nss_ldap
> ./OpenSSL
> ./SASL
>
> I realy don't need Kerberos or PAM.

- Well, I think you do. If you want encryption your two choices
are kerberos or SSL. From an infrastructure perspective there
are many advantages to kerberos over SSL.

>
> So, I've setup nss_ldap, openldap and it's work. But, I need to keep
> userPassword secret, so I've used "acces to attr=userPassword" directive in
> sladp.conf, and it's work very well.
> Now, how to setup a good crypto between client and openLDAP server ?

- You need either kerberos or SSL do this.


> And some needs :
> ./ I've 200+ account setup in /etc/shadow, I need to keep passwd
> ./ Slack uses an derived MD5 algo to create shadow passwd

- If you add PAM, you won't need to keep the password in
/etc/shadow. You'll still need to generate account entries.


>
> Please, could you give me experiences ?
> What's the real utility of SASL ?
>

- SASL is a means of negociating the authentication
method between client and server and whether
that connection is encrypted or not. Outside of
LDAP over ssl it is the only secure means of
authenticating to an ldap server.

- Booker C. Bense