Need some tips on kerberizing our ENTIRE network

jay alvarez kerber0sb0y at yahoo.com
Wed Jul 6 01:44:31 EDT 2005 


--- Mark Campbell <mcc171 at psu.edu> wrote:

> When you ask about nagios support are you asking
> about authentication to 
I'm referring to nagios authentication of restricted
pages, but it's more of webserver/browser negotiation
problem as others have already mentioned. 

> the nagios interface or monitoring a KDC?  If you
> asking about 
> monitoring I have written a plug in for nagios that
> monitors our KDCs 
> here.  I am sure I could share. 
Thanks!
Your plugin is interesting, I'll be looking forward to
obtaining it when we already have our kdc configured.


> 
> Mark
> 
> jay alvarez wrote:
> 
> >Good day,
> >
> >  We had a meeting last time regarding the need for
> a
> >centralized authentication in our agency. Everyone
> >except me, was looking into using an ldap
> directory. I
> >insist on them that if we were to use ldap for sole
> >authentication purpose, ldap was not designed for
> it,
> >and we should be considering the use of kerberos
> >instead. But I told them that there is a catch, if
> we
> >were to use kerberos, we must find a kerberized
> >versions for those network services we wish to use
> the
> >kerberos authentication. In short, other custom
> made
> >apps, such as web applications must find a way to
> know
> >how to interact with kerberos. On the other hand,
> >doing some research of my own, ldap support for
> >popular services seems to be more available than
> that
> >with kerberos support. At the end of our meeting,
> we
> >have agreed upon the accounting of our services
> which
> >requires authentication and finding out if it
> supports
> >authentication through ldap(since we still need the
> >directory functions of ldap).
> >
> >But my problem is this, I've been reading a lot of
> >discussion regarding the use of kerberos
> >authentication, its stregth against other
> mechanisms,
> >the whole protocol itself and I'm pretty much
> >convinced that for authentication, kerberos is the
> >only way to go. In short, I'm still looking forward
> to
> >using kerberos in our network services
> authentication
> >instead of ldap which leads me to a bigger problem.
> >Will it be achievable for the following services?:
> >
> >jabberd2 (by just looking at its config file, it
> >definitely supports ldap, not sure with kerberos)
> >
> >Nagios server monitoring(I've heard some
> discussions
> >regarding its ldap support, not sure with kerberos)
> >
> >rt3 TTS(also read some ldap support, not sure with
> >kerberos)
> >
> >email (qmail or postfix) I just bumped into a
> document
> >saying postfix supports sasl/gssapi, and qmail has
> a
> >qmail-ldap version but not sure with
> qmail-kerberos.
> >
> >ssh (I saw its sshd_config and it has an option for
> >kerberos authentication)
> >
> >Unix login (I'm also quite sure it supports being
> >kerberized)
> >
> >radius wifi login( ldap support, also not sure with
> >kerberos)
> >
> >ftp (although kerberos provides kerberized ftpd, we
> >are currently using ProFTP, no idea if it supports
> >kerberos authentication)
> >
> >samba( we are using snap server. Its an appliance
> >which if it doesn't support kerberos, there's no
> way
> >to tweek it, I guess.)
> >
> >web apps( I've read some docs regarding apache
> modules
> >for kerberos, some patches for some web browser to
> >support kerberos authentication and also some rfcs
> >which discusses adding kerberos mech to the SSL/TLS
> >protocol.
> >
> >openldap directory( it definitely supports
> kerberos)
> >
> >Summary of apps that I'm SURE it has kerberos
> support:
> >postfix
> >ssh
> >unix logins
> >ldap
> >
> >Summary of apps that I'm NOT SURE if it has
> kerberos
> >support:
> >
> >jabberd2
> >webapps
> >samba(Snap server)
> >radius
> >rt
> >nagios
> >
> >Our bosses relies on best practices most of the
> time
> >such as using the most widely use email server,
> ftp,
> >etc. If only I can convince them the ease of having
> a
> >rock-solid single sign-on environment kerberos has
> to
> >offer, which I think I can, I'm sure it would be
> easy
> >to convince them to use other software alternatives
> if
> >it supports kerberos rather than those popular ones
> >which lacks it. 
> >
> >My huge problem is, will it be achievable for those
> >services I have mentioned above?  IMO, I don't see
> any
> >sense on kerberizing some of the services while
> others
> >are still authenticating through ldap, do you?
> >
> >What do you think?
> >
> >
> >Thanks!
> >-jay
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >		
> >__________________________________ 
> >Yahoo! Mail 
> >Stay connected, organized, and protected. Take the
> tour: 
> >http://tour.mail.yahoo.com/mailtour.html 
> >
> >________________________________________________
> >Kerberos mailing list           Kerberos at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
> >  
> >
> 
> 



		
__________________________________ 
Discover Yahoo! 
Find restaurants, movies, travel and more fun for the weekend. Check it out! 
http://discover.yahoo.com/weekend.html

More information about the Kerberos mailing list