MIT Kerberos LDAP backend
Booker Bense
bbense at telemark.slac.stanford.edu
Thu Nov 8 14:20:26 EST 2007
In article <mailman.84.1194545352.9118.kerberos at mit.edu>,
Mr J.A. Gilbertson <jgilbert at liverpool.ac.uk> wrote:
>On Thu, 8 Nov 2007, Ken Raeburn wrote:
>
>Do you know of any other method whereby we would be able to effectively
>let Kerberos delegate the authentication step to LDAP, and then carry on
>as if that part had been done itself?
>
All kerberos does is authentication. There have been some efforts
to use LDAP as the back end data store for a KDC, but I don't
know how successful they are. Doing it in a reasonably secure
fashion would also require some very careful work. I think the
heimdal code has some experimental support for this.
Most sites that use LDAP and Kerberos either use Active Directory ( which more
or less has this integration already) or use kerberos for
authentication and LDAP for authorization. There is a sync
process usually that creates accounts for users in both services.
I don't think there is really any practical way to use LDAP
username/password authentication inside of kerberos. Mostly since
the password never leaves the local machine in the kerberos
protocol.
There's a project out there that attempts to duplicate all of
Active Directory with open source software. I've forgotten the
name (padl.com ?), but you might look at that to understand
what's available and the underlying problem.
_ Booker C. Bense
More information about the Kerberos
mailing list