[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
From: Andreas Schuldei <andreas@schuldei.org>
Date: Fri, 30 Jul 2004 05:36:46 +0200
Cc: Openldap list <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <4C40C4835866B32082DA7733@cadabra-dsl.stanford.edu>
References: <1EA0D424-E0E7-11D8-A4CF-000A959133A8@u.washington.edu> <Pine.LNX.4.58.0407290820350.2919@ybpnyubfg.ybpnyqbznva> <1091128959.10757.198.camel@localhost> <20040729215216.GG2125@markus.schuldei.org> <4C40C4835866B32082DA7733@cadabra-dsl.stanford.edu>
User-agent: Mutt/1.5.3i

* Quanah Gibson-Mount (quanah@stanford.edu) [040730 01:14]:
> We wrote our own utility that downloads the keys over an encrypted channel 
> to the target system.  It validates the calls using the user's Kerberos 
> principal.  It allows for multiple people to be on the ACL for a keytab, 
> and it allows for multiple groups (which can contain multiple people) to be 
> on the ACL for a keytab.

this does not solve the bootstrap problem, does it? for that the
key needs to get to the server at install (or configuration)
time.

Debian-edu tries to be a key-turn educational system (for
schools) providing several services (optionally on different
servers). Adding new servers (e.g. terminal servers) to the
network would require to add the server to the domain which of
cause would require human admin interaction on the Main server
side (otherwise anyone could add his machine as a server). But
that should be minimal, manageable even for teachers.

Your tool could solve this once the authenticy of the new machine
is established and kerberos is up and running. Could LDAP help me
do even the bootstraping in a secure fashion?

Follow-Ups:
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Donn Cave <donn@u.washington.edu>

References:
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Donn Cave <donn@u.washington.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: About userSMIMECertificate&userPKCS12 attributes
Next by Date: Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
Index(es):
- Chronological
- Thread