RE: [fw-wiz] LDAP and Kerberos?
From: Christopher Hicks (chicks_at_chicks.net)
To: Firewall Wizards Mailing List <email@example.com>, "Melson, Paul" <PMelson@sequoianet.com> Date: Mon, 20 Sep 2004 12:27:14 -0400 (EDT)
On Mon, 20 Sep 2004, Melson, Paul wrote:
>> -----Original Message-----
>> On Mon, 20 Sep 2004, Melson, Paul wrote:
>>> I'm not sure you've given enough information about your back end
>>> architecture to say for sure,
>> I'm not sure what else to say about the architecture. I'll
>> be happy to answer any questions though.
> Specifically, what else besides the web application will you be
> authenticating? How many users? If the primary goal of this directory
> is to provide authentication for this web app. plus maybe admin
> services, then Kerberos is a waste of time since it's not compatible
> with the web app.
About 200 users currently. The LDAP server will be used for
authenticating a handful of web apps (one of which is bugzilla and several
others we've written in house), autenticating Linux/UNIX shell users
across a dozen boxes, and supporting distributing authoritative sendmail
across an array of three boxes widely geographically distributed. So,
kerberos gets me nothing for sendmail or bugzilla as far as I know. I'm
sure the Linux login piece could be kerberized, but since the primary
login method for 98% of the users is across the web there's not going to
be any useful single logon. Oh, I do want to do samba through LDAP at
> The advantage of mutual authentication is that it prevents playback
> spoofing and man-in-the-middle attacks. It's designed to make it
> difficult for a third system to get access to services by eavesdropping
> or otherwise intercepting or interfering with the authentication
Ah, so I can setup my own CA and accomplish most of the same thing. I see
now. Thank you.
-- </chris> There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards