[Date Prev][Date Next]
Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)
--On Friday, July 30, 2004 5:36 AM +0200 Andreas Schuldei
* Quanah Gibson-Mount (firstname.lastname@example.org) [040730 01:14]:
We wrote our own utility that downloads the keys over an encrypted
channel to the target system. It validates the calls using the user's
Kerberos principal. It allows for multiple people to be on the ACL for
a keytab, and it allows for multiple groups (which can contain multiple
people) to be on the ACL for a keytab.
this does not solve the bootstrap problem, does it? for that the
key needs to get to the server at install (or configuration)
This is really getting OT for OL, so please just email me directly on
further responses. ;)
It does essentially, because our utility authenticates you to the KDC, and
then downloads the key. You can then install the key at build time, or any
other time you want to. Our internal build process puts in a startup
script that prompts you to download the key when the system comes up from
Your tool could solve this once the authenticy of the new machine
is established and kerberos is up and running. Could LDAP help me
do even the bootstraping in a secure fashion?
Hm, we assume the system is authentic, since the key download is restricted
by user, rather than by system. We do require you to fill out a form
requesting that we create the keytab for you on the server side of things,
along with user(s) who can download the keytab. Our general Kerberos
configuration requires forward/reverse DNS work for the system as well.
There's nothing that I can see that you can do that will not require human
interaction at some point to get the key onto the server.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html