[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and optional kerberos ?

Nicolas GRENECHE wrote:
Hi all,

I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.

2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST be kerberos aware.

You mean that any LDAP client must be Kerberos aware? Certainly clients don't need to know anything about Kerberos for pam_kerberos to work. And Kerberos in LDAP is just a matter of using SASL, the Kerberos details are handled by GSSAPI.

2) Having LDAP and Kerberos passwords synced.
Asset : You can authenticate through LDAP or kerberos (pam_ldap required an pam_kerberos optional) ie you must authenticate against LDAP and if Kerberos autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on client side / passwords must be synced (Do you now materials to do it ?).

This doesn't seem to offer any actual benefits over (1). But as a matter of course, I would use a Heimdal KDC backed by OpenLDAP, in which case there is only one password database for both.

I add that security is not a major concern for us and we got many OS on client side that's why the 1st solution may not fit our needs.

Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?



  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/