[Date Prev][Date Next] [Chronological] [Thread] [Top]


--On Thursday, June 26, 2003 7:20 PM +0200 Turbo Fredriksson <turbo@bayour.com> wrote:

"Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:

Quanah> Hi Turbo, We've been running 2.1 in production since April Quanah> of this year, and it has proven to be very stable. We use Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName Quanah> to do the mappings you are talking about, which indeed Quanah> allows us to have more flexible ACL's.

Could you give me some ACL/ACI examples on how you have set it up?

Yes, but I'm on vacation the rest of this week, so it'll be on Monday.

Quanah> I will note that for the servers, you will want to compile Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are Quanah> using threads, as your servers will not be stable Quanah> otherwise. ;) For clients, it doesn't really matter too Quanah> much.

There's no WAY i'm switching to KTH kerberos! Not for 'sentimental' or
or other 'strange' :) reasons. I'm not going to rebuild my WHOLE site,
with lots of users, usage etc, etc. It will take WAY to much time, effort
and most of all MONEY to switch.

It's just not a viable option if you think of it...

You really missed what I'm saying on this. There is no need to convert your cell, clients or anything else to Heimdal. You just need to compile openldap against Heimdal for your servers instead of MIT. We are a 99.99% MIT Kerberos implementation here at Stanford as well. We use a MIT KRB5 compiled version of OpenLDAP for clients of the servers. On our servers themselves, all our login functions (login.krb, etc) are still MIT KRB5.


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html