[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?



On Mon, Jan 31, 2011 at 04:04:15PM -0600, Joe Comeaux wrote:
> >  Will there be client software which performs the LDAP authentication
> >  directly to the LDAP server?
> >  Can you support SASL binds in your environment?
> 
> I was under the impression that most all the software would be
> attempting to authenticate directly with the LDAP server ( my
> understanding of SASL may be a bit unclear ). I'm pretty sure the
> linux apps listed above can use SASL. I will need to research SASL
> connections a bit more before deciding if that's what I need or not.

You might be able to get some ideas from here:
http://mailman.mit.edu/pipermail/kerberos/2011-January/016989.html

You should bear in mind that ultimately you're going to have some sort of
"password" stored in a file somewhere on the client machine - whether it be
a Kerberos keytab, or the private key for a TLS certificate, or something
else.  Anyone who has root on the client box will be able to use those
credentials.

(Or, if you don't store it in the filesystem, you'll have to prompt the user
to type it in every time the system starts up)

When you realise this, perhaps a fixed bindDN+password doesn't seem so bad
after all. You only need to grant it just enough access to do searches to
map username to DN, after all.

The big advantage of Kerberising is that the LDAP traffic is encrypted, and
hence protected against both sniffing and tampering, without needing to
deploy TLS and certificates.

Regards,

Brian.