Need some tips on kerberizing our ENTIRE network

Mark Campbell mcc171 at psu.edu
Wed Jul 6 00:14:29 EDT 2005


When you ask about nagios support are you asking about authentication to 
the nagios interface or monitoring a KDC?  If you asking about 
monitoring I have written a plug in for nagios that monitors our KDCs 
here.  I am sure I could share. 

Mark

jay alvarez wrote:

>Good day,
>
>  We had a meeting last time regarding the need for a
>centralized authentication in our agency. Everyone
>except me, was looking into using an ldap directory. I
>insist on them that if we were to use ldap for sole
>authentication purpose, ldap was not designed for it,
>and we should be considering the use of kerberos
>instead. But I told them that there is a catch, if we
>were to use kerberos, we must find a kerberized
>versions for those network services we wish to use the
>kerberos authentication. In short, other custom made
>apps, such as web applications must find a way to know
>how to interact with kerberos. On the other hand,
>doing some research of my own, ldap support for
>popular services seems to be more available than that
>with kerberos support. At the end of our meeting, we
>have agreed upon the accounting of our services which
>requires authentication and finding out if it supports
>authentication through ldap(since we still need the
>directory functions of ldap).
>
>But my problem is this, I've been reading a lot of
>discussion regarding the use of kerberos
>authentication, its stregth against other mechanisms,
>the whole protocol itself and I'm pretty much
>convinced that for authentication, kerberos is the
>only way to go. In short, I'm still looking forward to
>using kerberos in our network services authentication
>instead of ldap which leads me to a bigger problem.
>Will it be achievable for the following services?:
>
>jabberd2 (by just looking at its config file, it
>definitely supports ldap, not sure with kerberos)
>
>Nagios server monitoring(I've heard some discussions
>regarding its ldap support, not sure with kerberos)
>
>rt3 TTS(also read some ldap support, not sure with
>kerberos)
>
>email (qmail or postfix) I just bumped into a document
>saying postfix supports sasl/gssapi, and qmail has a
>qmail-ldap version but not sure with qmail-kerberos.
>
>ssh (I saw its sshd_config and it has an option for
>kerberos authentication)
>
>Unix login (I'm also quite sure it supports being
>kerberized)
>
>radius wifi login( ldap support, also not sure with
>kerberos)
>
>ftp (although kerberos provides kerberized ftpd, we
>are currently using ProFTP, no idea if it supports
>kerberos authentication)
>
>samba( we are using snap server. Its an appliance
>which if it doesn't support kerberos, there's no way
>to tweek it, I guess.)
>
>web apps( I've read some docs regarding apache modules
>for kerberos, some patches for some web browser to
>support kerberos authentication and also some rfcs
>which discusses adding kerberos mech to the SSL/TLS
>protocol.
>
>openldap directory( it definitely supports kerberos)
>
>Summary of apps that I'm SURE it has kerberos support:
>postfix
>ssh
>unix logins
>ldap
>
>Summary of apps that I'm NOT SURE if it has kerberos
>support:
>
>jabberd2
>webapps
>samba(Snap server)
>radius
>rt
>nagios
>
>Our bosses relies on best practices most of the time
>such as using the most widely use email server, ftp,
>etc. If only I can convince them the ease of having a
>rock-solid single sign-on environment kerberos has to
>offer, which I think I can, I'm sure it would be easy
>to convince them to use other software alternatives if
>it supports kerberos rather than those popular ones
>which lacks it. 
>
>My huge problem is, will it be achievable for those
>services I have mentioned above?  IMO, I don't see any
>sense on kerberizing some of the services while others
>are still authenticating through ldap, do you?
>
>What do you think?
>
>
>Thanks!
>-jay
>
>
>
>
>
>
>
>
>
>		
>__________________________________ 
>Yahoo! Mail 
>Stay connected, organized, and protected. Take the tour: 
>http://tour.mail.yahoo.com/mailtour.html 
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>



More information about the Kerberos mailing list