Need some tips on kerberizing our ENTIRE network
jay alvarez
kerber0sb0y at yahoo.com
Tue Jul 5 22:47:13 EDT 2005
Good day,
We had a meeting last time regarding the need for a
centralized authentication in our agency. Everyone
except me, was looking into using an ldap directory. I
insist on them that if we were to use ldap for sole
authentication purpose, ldap was not designed for it,
and we should be considering the use of kerberos
instead. But I told them that there is a catch, if we
were to use kerberos, we must find a kerberized
versions for those network services we wish to use the
kerberos authentication. In short, other custom made
apps, such as web applications must find a way to know
how to interact with kerberos. On the other hand,
doing some research of my own, ldap support for
popular services seems to be more available than that
with kerberos support. At the end of our meeting, we
have agreed upon the accounting of our services which
requires authentication and finding out if it supports
authentication through ldap(since we still need the
directory functions of ldap).
But my problem is this, I've been reading a lot of
discussion regarding the use of kerberos
authentication, its stregth against other mechanisms,
the whole protocol itself and I'm pretty much
convinced that for authentication, kerberos is the
only way to go. In short, I'm still looking forward to
using kerberos in our network services authentication
instead of ldap which leads me to a bigger problem.
Will it be achievable for the following services?:
jabberd2 (by just looking at its config file, it
definitely supports ldap, not sure with kerberos)
Nagios server monitoring(I've heard some discussions
regarding its ldap support, not sure with kerberos)
rt3 TTS(also read some ldap support, not sure with
kerberos)
email (qmail or postfix) I just bumped into a document
saying postfix supports sasl/gssapi, and qmail has a
qmail-ldap version but not sure with qmail-kerberos.
ssh (I saw its sshd_config and it has an option for
kerberos authentication)
Unix login (I'm also quite sure it supports being
kerberized)
radius wifi login( ldap support, also not sure with
kerberos)
ftp (although kerberos provides kerberized ftpd, we
are currently using ProFTP, no idea if it supports
kerberos authentication)
samba( we are using snap server. Its an appliance
which if it doesn't support kerberos, there's no way
to tweek it, I guess.)
web apps( I've read some docs regarding apache modules
for kerberos, some patches for some web browser to
support kerberos authentication and also some rfcs
which discusses adding kerberos mech to the SSL/TLS
protocol.
openldap directory( it definitely supports kerberos)
Summary of apps that I'm SURE it has kerberos support:
postfix
ssh
unix logins
ldap
Summary of apps that I'm NOT SURE if it has kerberos
support:
jabberd2
webapps
samba(Snap server)
radius
rt
nagios
Our bosses relies on best practices most of the time
such as using the most widely use email server, ftp,
etc. If only I can convince them the ease of having a
rock-solid single sign-on environment kerberos has to
offer, which I think I can, I'm sure it would be easy
to convince them to use other software alternatives if
it supports kerberos rather than those popular ones
which lacks it.
My huge problem is, will it be achievable for those
services I have mentioned above? IMO, I don't see any
sense on kerberizing some of the services while others
are still authenticating through ldap, do you?
What do you think?
Thanks!
-jay
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
More information about the Kerberos
mailing list