Excellent comments by David. Just to add a few things...
On Fri, 01 Aug 2003 11:26:21 -0400
David Z Maze <firstname.lastname@example.org> wrote:
Raffaele Sandrini <email@example.com> writes:
I am not sure if it is possible for this three compnents (AFS,LDAP
and Kerberos 5) to interact together using LDAP as central
infobase. M$ has managed to get that to work with its AD and Login
system and DFS wich is all kerberos 5 based.
Much of that unification is done behind the scenes. Passwords are still
kept in a Kerberos database, not in LDAP/AD, which means that there is
at least a simple hash between usernames and passwords in Kerberos, if
nothing else. I've never looked into DFS, so I can't comment on the
architecture, but from what I understand AFS is considerably more
sophisticated than DFS anyway, so they are probably not directly
At MIT, there's some local very ugly glue that tries to keep
And there is similar glue pretty much everywhere else. All the pieces
are modular enough to be strung together easily. If it's not worth an
hour or two to create some simple scripts, then your site shouldn't be
using these systems.
There are several issues wich need to be thought about:
- Is there a need for Kerberos 5? Is LDAP over SSL not equal secure?
"Is there a need for breakfast cereal? Does not copy paper provide
fiber?" Really, these are two completely separate things.
LOL. To be less witty, LDAP is designed to distribute information,
Kerberos is designed to keep it private. Add to that the fact that
Kerberos is an accepted standard for authentication of other network
services, and you can see why it's around. Again, build some scripts -
it's no big deal.
- Is there a possiblity to trim OpenAFS to LDAP so that it not uses
its own userdatabases?
I don't believe so.
Correct. This is not possible. You must have a pts server and some
form of Kerberos.
- If Kerberos 5 is needed is there a way to trim it to LDAP?
I don't believe so. (But you have the same issues with kaserver as
you would with the krb5 KDC.)
You mean something like LDAPv3 with a K5 authentication backend? Or you
mean something like eliminating pts and getting file permissions through
LDAP? I think it's the latter, in which case the answer is still no.
But there's nothing keeping you from adding pts info to your schema and
managing pts by grabbing info from LDAP.
The system should be the most secure and the most simple one :)).
It's nice to say that, but you're asking about some extremely
powerful systems, designed to serve 1000's of users in a huge
variety of network environments. Consider whether you really need AFS.
If you just want everything in LDAP, you should be able to set up Samba
servers that auth against an LDAP backend. You could cut Kerberos and
AFS out altogether then, at the cost of slightly less password security
on the wire.