Need some tips on kerberizing our ENTIRE network

[Turbo Fredriksson]

Quoting Russ Allbery <rra at stanford.edu>:

>> email (qmail or postfix) I just bumped into a document
>> saying postfix supports sasl/gssapi, and qmail has a
>> qmail-ldap version but not sure with qmail-kerberos.
>
> I don't *think* there's a qmail-smtpd that supports GSSAPI authentication,
> but I'm not sure.

In theory it should work with the additional QmailLDAP/Controls patch.
I DID so some very quick tests when I added SASL support to the patch, but
I never run it for extensive periods...

> Your problem here will be more on the client side
> anyway; it's hard to find clients other than Eudora that support GSSAPI
> authentication for SMTP.  You can, however, support Kerberos username and
> password over SSL with any server that uses SASL (even though it's ugly
> and ideally you don't want to do that).

Oh, my patch don't support THAT, only SASL between Qmail and the LDAP server.
Good idea though. I'll see what I can do...

> No.  You really do not want to have two password repositories that you
> have to keep in sync.  You *can* get LDAP to refer its authentications to
> Kerberos, but my understanding is that this is not the fastest thing in
> the world to do.

It isn't much slower. In theory, a couple of microseconds (depending
on hardware of course - if you run old crap as i do, it's about half
to a quarter of a second per bind :).