is that common to use kerberos authentication for SUN iplanet LDAP server?

Markus Moeller huaraz at moeller.plus.com
Fri Sep 2 16:17:36 EDT 2005


Thank you
Markus

"Craig Huckabee" <huck at spawar.navy.mil> wrote in message 
news:43183ECF.6050102 at spawar.navy.mil...
>
>
> I'm sorry, I didn't make what we're doing clear.  Our MIT KDC is our 
> master for our realm, our AD domain trusts that realm.  We 
> add/modify/delete users on our MIT KDC & AD based on our LDAP directory.
>
> All of our user's passwords are kept solely by the KDC.  The GSSAPI LDAP 
> module also includes PAM functionality so our LDAP servers use pam_krb5 to 
> authenticate - so no crypted password hashes in LDAP.  When we push down 
> the users to AD, we set the password field there to a long, random, good, 
> password - the trust allows the users to authenticate solely from the MIT 
> KDC.
>
> So, in the AD case, we just set the appropriate LDAP attribute for each 
> user to the crypted passwd string.  This user replication process is one 
> of the many tools that uses Perl-LDAP & GSSAPI/SASL.
>
> Our tools we give our users to change their password (web based, Unix 
> kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on 
> the MIT KDC.  Those tools use the standard library functions or the 
> Windows equivalent.
>
> Now if only Microsoft would fix their PKINIT implementation so it would 
> pass requests to trusted domains like the password functions do I'd be 
> happy.
>
> Thanks,
> Craig
>
>
>
>
> Markus Moeller wrote:
>> To point 2) I would do the password change through Kerberos kpasswd or if 
>> you need to do it as an admin I think there is also a function in the MIT 
>> library to do so.
>>
>> Regards
>> Markus
>>
>> "Craig Huckabee" <huck at spawar.navy.mil> wrote in message 
>> news:43175FA9.9090008 at spawar.navy.mil...
>>
>>>Markus,
>>>
>>>  Two reasons:
>>>
>>>  1)  We are working towards turning off non-SSL access to our Sun LDAP 
>>> servers.
>>>
>>>  2)  We ran into problems when talking to AD using Perl-LDAP/SASL 
>>> without SSL.  IIRC, we couldn't do a password change over a non-SSL 
>>> port - AD spit back an error.  Doing everything over SSL cleared up the 
>>> problems.
>>>
>>>But, yes, in most cases we could just use one or the other.
>>>
>>>--Craig
>>>
>>>
>>>Markus Moeller wrote:
>>>
>>>
>>>>Craig,
>>>>
>>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do 
>>>>encryption too. What was the reason not to use SASL/GSSAPI with 
>>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI 
>>>>with encryption.
>>>>
>>>>Thanks
>>>>Markus
>>>>
>>>>"Craig Huckabee" <huck at spawar.navy.mil> wrote in message 
>>>>news:4316DEC8.5060809 at spawar.navy.mil...
>>>>
>>>>
>>>>>Kent Wu wrote:
>>>>>
>>>>>
>>>>>>  So my question is that is it pretty easy to enable Kerberos for SUN 
>>>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>>
>>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
>>>>> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
>>>>> versions they sold previously also use MIT Kerberos.
>>>>>
>>>>> We now have several processes that regularly use only GSSAPI/SASL over 
>>>>> SSL to authenticate and communicate with LDAP.  Works very well.
>>>>>
>>>>>HTH,
>>>>>Craig
>>>>>
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list