[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenSSL + Kerberos + Cyrus-SASL + OpenLDAP

"Howard Chu" <hyc@symas.com> wrote:

Following-up to several at once, here...

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
> Gibson-Mount
> >
> > What you gave was not a recommendation, it was a statement
> > that it wasn't
> > possible.  Jim already noted he had a KDC.  

Uhm... no?  I'm buildin' the whole shootin' match from the start,
Quanah.  (And I've only a vague notion of what the hell I'm doin',
too.  I'm truly a n00b in the woods, here ;).)

>                                               And storing your
> > krb tickets in
> > an ldap store seems rather the security risk to me.

Little as I understand atm: That makes sense to me.  Kind of...

> > Obviously, how you
> > ultimately want to operate your services will affect how you
> > compile these
> > packages, as with any set of software packages you put together.

Of course.

> FWIW, we build in order BDB, OpenSSL, Heimdal, SASL, (libtool), LDAP. We then
> rebuild Heimdal's libhdb with LDAP enabled, for the KDC.
> Given the ephemeral nature of Kerberos tickets, and the fact that they are
> frequently associated with a single client address, I don't see much value in
> storing them in a distributed repository like LDAP. Not to mention the fact
> that you need some other kind of authentication scheme in place to gain
> access to LDAP. You have to draw a line somewhere, and it's silly to pull in
> more security packages to solve the chicken'n'egg problem.

The security issues aside (I have only a vague grasp of what Quanah was
talking about): The above is as good a reason as *I* need not to do

Thanks for the comments, all.  Really appreciated.

(Now I'm on to addressing what I should do about the fact that
Heimdal's configure doesn't notice I've got BDB installed in the
default: /usr/local/BerkeleyDB.4.1.  So I'll just wait for my
heimdal-discuss subscription request to be approved, and resolve that
bit there.  IIRC, from what I've heard in the past: I don't want to
rely on Sun's ndbm implementation.)

Oh btw, everybody: *Please* don't Cc: me when posting to the mailing
list?  (That's why I set my Reply-To: to the list.)  Thanks :).

Jim Seymour                | Spammers sue anti-spammers:
jseymour@LinxNet.com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/