Re: OpenLDAP and optional kerberos ?

[Howard Chu <hyc@symas.com>]

Nicolas GRENECHE wrote:
> Hi all,
>
> I need tu replace an old NIS with a topnotch OpenLDAP server.
> I would like to add SSO support on my brand new architecture.
>
> 2 scenarii may occur :
> 1) Using pam_kerberos to authentaicate against KDC and retreiving 
> information from LDAP server with SASL.
> The backward is that anyone (or anything) that need to authenticate MUST 
> be kerberos aware.

You mean that any LDAP client must be Kerberos aware? Certainly clients don't 
need to know anything about Kerberos for pam_kerberos to work. And Kerberos in 
LDAP is just a matter of using SASL, the Kerberos details are handled by GSSAPI.

> 2) Having LDAP and Kerberos passwords synced.
> Asset : You can authenticate through LDAP or kerberos (pam_ldap required 
> an pam_kerberos optional) ie you must authenticate against LDAP and if 
> Kerberos autentication success you get a TGT !
> Backward : Two password databases to protect / lot of work on client 
> side / passwords must be synced (Do you now materials to do it ?).

This doesn't seem to offer any actual benefits over (1). But as a matter of 
course, I would use a Heimdal KDC backed by OpenLDAP, in which case there is 
only one password database for both.

> I add that security is not a major concern for us and we got many OS on 
> client side that's why the 1st solution may not fit our needs.
>
> Has someone ever experienced the second solution ?
> Have you some hints and feedbacks ?
>
> Thx,
>
> Nico


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/