Re: [fw-wiz] LDAP and Kerberos?

• Previous message: ArkanoiD: "Re: [fw-wiz] LDAP and Kerberos?"
• In reply to: Christopher Hicks: "RE: [fw-wiz] LDAP and Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 21 Sep 2004 11:24:29 -0700

On September 20, 2004 09:27 am, Christopher Hicks wrote:
> About 200 users currently. The LDAP server will be used for
> authenticating a handful of web apps (one of which is bugzilla and several
> others we've written in house), autenticating Linux/UNIX shell users
> across a dozen boxes, and supporting distributing authoritative sendmail
> across an array of three boxes widely geographically distributed. So,
> kerberos gets me nothing for sendmail or bugzilla as far as I know. I'm
> sure the Linux login piece could be kerberized, but since the primary
> login method for 98% of the users is across the web there's not going to
> be any useful single logon. Oh, I do want to do samba through LDAP at
> some point.
>
One of the valid security advantages of kerberos vs ldap is the finite
lifetime of the ticket and the central management of ticket lifetime. This
would make sense for your samba deployment, and linux/UNIX shell access, but
has no value for your web app.

-- 
Mason Schmitt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: ArkanoiD: "Re: [fw-wiz] LDAP and Kerberos?"
• In reply to: Christopher Hicks: "RE: [fw-wiz] LDAP and Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Authenticating LDAP connection with current windows users credentials? ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ... (comp.lang.java.programmer) Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap? ... (Specified realm `persona.de' not allowed by configuration) ... I recommend steering this thread back onto the kerberos mailing list. ... So what you're saying is that users do not know their userPrincipalName ... You could split the name and do an LDAP search on sAMAccountName=abaker ... (comp.protocols.kerberos) Re: Kerberos Confusion / Design Questions ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ... (comp.protocols.kerberos) LDAP+Kerberos in Solaris 8 ... LDAP & Kerberos clients: ... error No account present for user ... # Authentication management ... (SunManagers) RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap)) ... For users of Fedora Core releases ... >> Your certificate creation method did not work. ... I have successfully gotten LDAP to run, ... Also still messing with kerberos and trying to get the nuances ... (Fedora)