Re: unified authentication

From: Robert Watson (rwatson_at_freebsd.org)
Date: 09/25/03

  • Next message: Robert Watson: "Re: unified authentication"
    Date: Thu, 25 Sep 2003 11:54:55 -0400 (EDT)
    To: Jesse Guardiani <jesse@wingnet.net>
    
    

    On Wed, 24 Sep 2003, Jesse Guardiani wrote:

    > > My current preference in new installs is to use Kerberos5 for
    > > authentication and LDAP for account information. If you're willing to
    > > throw SSL into the mix, a lack of "kerberization" isn't such a problem --
    > > you basically end up using Kerberos5 as a distributed password mechanism
    > > for non-Kerberized clients. I.e., using IMAP over SSL, SMTP over SSL,
    > > etc.
    >
    > And that's more or less what I was thinking of doing here, except it
    > wouldn't be IMAP and SMTP (because that is already handled by my mail
    > server's MySQL database), but Kerberos as a distributed password
    > mechanism for SSH, Apache .htaccess, Cisco routers, etc...
    >
    > Does that work well with FreeBSD 4.8? Or would I need to use 5.x to
    > deploy Kerberos5 in that manner?

    Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
    due to a lack of complete NSS support--to do this directly, you'd need to
    run 5.x. My understanding is that some sites dump their LDAP databases to
    NIS databases and share them on the FreeBSD side using NIS, which is also
    a reasonable (if less secure) solution. If you just want to use Kerberos5
    for password sharing, 4.x should be no problem at all.

    Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
    robert@fledge.watson.org Network Associates Laboratories

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Robert Watson: "Re: unified authentication"

    Relevant Pages

    • Re: ADAM and Object Database
      ... ADAM Technical Reference has a section on "LDAP Directories Compared to ... you must program it using an LDAP API instead of a SQL API and must use ... > ADAMand the Object Databases. ...
      (microsoft.public.windows.server.active_directory)
    • Re: ADAM and Object Database
      ... ADAM Technical Reference has a section on "LDAP Directories Compared to ... you must program it using an LDAP API instead of a SQL API and must use ... > ADAMand the Object Databases. ...
      (microsoft.public.windows.server.sbs)
    • Re: ADAM and Object Database
      ... ADAM Technical Reference has a section on "LDAP Directories Compared to ... you must program it using an LDAP API instead of a SQL API and must use ... > ADAMand the Object Databases. ...
      (microsoft.public.windows.server.general)
    • Re: LDAP
      ... > If I install openLDAP, what tools do I use to configure the various ... > and also an LDAP address book for Mozilla. ...
      (Debian-User)
    • Re: unified authentication
      ... >> I understand what you're saying when you say that all applications need ... >> Perhaps kerberization just isn't very widespread as something like LDAP? ... > you basically end up using Kerberos5 as a distributed password mechanism ... database), but Kerberos as a distributed password mechanism for SSH, Apache ...
      (FreeBSD-Security)