[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPv3 a nightmare



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mark H. Wood

> The OP seems to be objecting (in part, anyway) to the
> (mistaken) notion
> that he's going to wind up with three sets of passwords to
> coordinate, one
> in each of OpenLDAP, SASL, and Kerberos.

It's easy to see where this notion arises since by default, all of these
systems do use their own separate user databases. Of course, when you've read
the documentation and you know how Kerberos is used, the path becomes
clearer.

> Not so.  If the authentication mechanism is GSSAPI, OpenLDAP
> will hand the
> authentication job over to SASL and depend on its response.
> Similarly, if
> the GSSAPI sub-mechanism is Kerberos V, SASL will just verify
> the ticket
> with Kerberos.  Neither SASL nor OpenLDAP need, or should have, any
> password information in this setup.  Only one password repository is
> needed.  SASL won't need a database because it has nothing to
> store, and
> OpenLDAP's database will hold only the *other* stuff you'd
> use a directory
> for and which Kerberos is not designed to know anything
> about.  The job is
> split up rather neatly:  SASL negotiates an authentication mechanism,
> Kerberos carries out the authentication, and OpenLDAP dishes
> up authorized
> responses to authenticated clients.

Yes, only one password repository is needed. In fact only one database is
needed; you can configure Heimdal Kerberos to store its information in LDAP,
piggybacked onto the usual user information. Personally I think this is the
best way to go because it means you only have one database to administer when
you're doing user management tasks. You can even set things up such that all
of the possible authentication methods are all valid, and all using the same
userPassword in LDAP (although I'm not sure why you would; certainly you
wouldn't want to give plaintext access to the same key that's used for your
Kerberos and other strong authentication mechanisms).

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support