[Date Prev][Date Next] [Chronological] [Thread] [Top]


--On Tuesday, February 03, 2004 5:43 PM +0530 Vikas Gandhi <VGandhi@quark.co.in> wrote:

Hi All

I have choosen Kerberos V5 for SSO. I have already tried gssapi samples
for all the three OS and they work fine. So I know that my configuration
has no such issues. My mission is to develop a generalised libraray so
that I do not face any problem when I want to add certificate support/TLS
to the server thru ldap.

a) As my authentication servers(KDC) are more or less independent of
directory services, am I forced to use authentication thru directory???
clientapp --> LDAP --> SASL/GSSAPI --> KDC --> Tickets
clientapp --> SASL/GSSAPI --> KDC --> Tickets
I am confused in the basic approaches????

b) If I want to use thru directory then I suppose we have to use it as a
plugins???? Or is there any other way.

c) Can I use Cyrus SASL as a framework for authentication or not ????


At Stanford we have our KDC's separate from OpenLDAP. The general method we use is that you get your K5 tickets during the login process, and then we connect to our LDAP servers to get passwd file information (in the case of posixAccount NIS replacement). So yes, your authentication servers can be completely separate from the directory.

Our client apps use a utility called k5start to get tickets from the KDC. They then use those tickets to authenticate to the directory server to make their queries.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html