[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)

To: Andreas Schuldei <andreas@schuldei.org>
Subject: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 29 Jul 2004 16:12:15 -0700
Cc: Openldap list <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <20040729215216.GG2125@markus.schuldei.org>
References: <1EA0D424-E0E7-11D8-A4CF-000A959133A8@u.washington.edu> <Pine.LNX.4.58.0407290820350.2919@ybpnyubfg.ybpnyqbznva> <1091128959.10757.198.camel@localhost> <20040729215216.GG2125@markus.schuldei.org>

--On Thursday, July 29, 2004 11:52 PM +0200 Andreas Schuldei <andreas@schuldei.org> wrote:

* Tony Earnshaw (tonye@billy.demon.nl) [040729 22:20]:

Because this one chose Heimdal?


can someone please comment on the MIT vs Heimdal question? i hear
Heimdal is able to distribute principals and keys over ldap.

We have a network with differnt services (imap, samba, soon AFS,
ldap, terminal servers, ...) which would need own kerberos keys
automatically.

Using Heimdal and ldap would solve our distribution problem.
But people tell me that this idea is against the spirit of
kerberos. (An alternative idea for MIT Kerberos would be ssh keys
without passphrases for every server and automatic distribution
over ssh.)

could someone comment, and tell me how they solved this problem?

We wrote our own utility that downloads the keys over an encrypted channel to the target system. It validates the calls using the user's Kerberos principal. It allows for multiple people to be on the ACL for a keytab, and it allows for multiple groups (which can contain multiple people) to be on the ACL for a keytab.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Donn Cave <donn@u.washington.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Stephen Frost <sfrost@snowman.net>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Andreas Schuldei <andreas@schuldei.org>

References:
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Donn Cave <donn@u.washington.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Andreas Schuldei <andreas@schuldei.org>

Prev by Date: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
Next by Date: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
Index(es):
- Chronological
- Thread