[Date Prev][Date Next]
Re: ACL/ACI && SASL
--On Thursday, June 26, 2003 7:20 PM +0200 Turbo Fredriksson
"Quanah" == Quanah Gibson-Mount <firstname.lastname@example.org> writes:
Quanah> Hi Turbo, We've been running 2.1 in production since April
Quanah> of this year, and it has proven to be very stable. We use
Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName
Quanah> to do the mappings you are talking about, which indeed
Quanah> allows us to have more flexible ACL's.
Could you give me some ACL/ACI examples on how you have set it up?
Yes, but I'm on vacation the rest of this week, so it'll be on Monday.
Quanah> I will note that for the servers, you will want to compile
Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
Quanah> using threads, as your servers will not be stable
Quanah> otherwise. ;) For clients, it doesn't really matter too
There's no WAY i'm switching to KTH kerberos! Not for 'sentimental' or
or other 'strange' :) reasons. I'm not going to rebuild my WHOLE site,
with lots of users, usage etc, etc. It will take WAY to much time, effort
and most of all MONEY to switch.
It's just not a viable option if you think of it...
You really missed what I'm saying on this. There is no need to convert
your cell, clients or anything else to Heimdal. You just need to compile
openldap against Heimdal for your servers instead of MIT. We are a 99.99%
MIT Kerberos implementation here at Stanford as well. We use a MIT KRB5
compiled version of OpenLDAP for clients of the servers. On our servers
themselves, all our login functions (login.krb, etc) are still MIT KRB5.
Senior Systems Administrator
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html