RE: {KERBEROS} userPasswords

[Frank Swasey <Frank.Swasey@uvm.edu>]

On Jun 16 at 1:45pm, Howard Chu wrote:

> Ok.... Are the web interfaces SSL-protected already? If not, I guess any
> further thought in this direction is moot.

Of course not!  Security is for dweebs seems to be the philosophy these
applications have taken.

> I'll guess that your apps don't use HTTP authentication, but you instead
> have a special login form and then send a cookie back to the browser that is
> used on subsequent accesses.

Correct.  They have an internal database of users (which they will allow
to be stored in LDAP, we're just moving them further than they want by
"allowing" them to use our kerberos userids/passwords that these folks
use at the rest of the university).

> OK, your apps are performing simple binds and there's nothing you can do to
> change that. I suggest setting up a "proxy" slapd on the same machines that
> run your applications. If the apps support ldapi, use that for connecting
> otherwise configure them to use localhost.
>
> On the proxy, set up a back-shell backend to handle the incoming binds.
> The back-shell "bind" script will have to do an ldapsearch to retrieve an
> attribute of the provided DN, to extract the Kerberos username. This
> transaction can be encrypted or not, depending on whether you think
> usernames are sensitive data. Certainly they are not as sensitive as
> passwords.

If I'm going to all that trouble, I might just as well write
something that accepts a simple bind and does a kerberos password check
because the attribute the applications have is the kerberos userid....
At this time, they also don't use LDAP for anything else :(

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===