Re: User Mangment: LDAP, AFS, Kerberos

[Ken McCord <ken@themccords.com>]

Turbo Fredriksson has a good write-up at 
http://www.bayour.com/LDAPv3-HOWTO.html regarding Kerberos and 
OpenLDAP.  I'm working on a similiar project attempting to integrate 
OpenLDAP, Kerberos and OpenAFS.  IBM Germany has an interesting 
project/product as well. Here's a pdf link to a product presentation:
http://www.linux-verband.de/veranstaltungen/v_event/syn2003/live-oehme-20030416.pdf

Email me off-line if you want a copy of my docs (so far).  They include 
Debian base system installation, OpenLDAP installation/configuration 
(Primary and Secondary servers) and Kerberos V 
installation/configuration (Primary and Secondary).  Some other stuff as 
well...

Ken McCord



Todd Pytel wrote:

> Excellent comments by David. Just to add a few things...
>
> On Fri, 01 Aug 2003 11:26:21 -0400
> David Z Maze <dmaze@debian.org> wrote:
>
>  
>
> > Raffaele Sandrini <rasa@gmx.ch> writes:
> >
> >    
> >
> > > I am not sure if it is possible for this three compnents (AFS,LDAP
> > > and Kerberos 5) to interact together using LDAP as central
> > > infobase. M$ has managed to get that to work with its AD and Login
> > > system and DFS wich is all kerberos 5 based.
> > >      
>
> Much of that unification is done behind the scenes. Passwords are still
> kept in a Kerberos database, not in LDAP/AD, which means that there is
> at least a simple hash between usernames and passwords in Kerberos, if
> nothing else. I've never looked into DFS, so I can't comment on the
> architecture, but from what I understand AFS is considerably more
> sophisticated than DFS anyway, so they are probably not directly
> comparable.
>
>  
>
> > At MIT, there's some local very ugly glue that tries to keep
> > everything synchronized.  
> >    
>
> And there is similar glue pretty much everywhere else.  All the pieces
> are modular enough to be strung together easily.  If it's not worth an
> hour or two to create some simple scripts, then your site shouldn't be
> using these systems.  
>
>  
>
> > > There are several issues wich need to be thought about:
> > > - Is there a need for Kerberos 5? Is LDAP over SSL not equal secure?
> > >      
> > "Is there a need for breakfast cereal?  Does not copy paper provide
> > fiber?"  Really, these are two completely separate things.
> >    
>
> LOL. To be less witty, LDAP is designed to distribute information,
> Kerberos is designed to keep it private.  Add to that the fact that
> Kerberos is an accepted standard for authentication of other network
> services, and you can see why it's around.  Again, build some scripts -
> it's no big deal.  
>
>  
>
> > > - Is there a possiblity to trim OpenAFS to LDAP so that it not uses
> > >  its own userdatabases?
> > >      
> > I don't believe so.
> >    
>
> Correct.  This is not possible.  You must have a pts server and some
> form of Kerberos.
>
>  
>
> > > - If Kerberos 5 is needed is there a way to trim it to LDAP?
> > >      
> > I don't believe so.  (But you have the same issues with kaserver as
> > you would with the krb5 KDC.)
> >    
>
> You mean something like LDAPv3 with a K5 authentication backend?  Or you
> mean something like eliminating pts and getting file permissions through
> LDAP?  I think it's the latter, in which case the answer is still no. 
> But there's nothing keeping you from adding pts info to your schema and
> managing pts by grabbing info from LDAP.
>
>  
>
> > > The system should be the most secure and the most simple one :)).
> > >      
>
> It's nice to say that, but you're asking about some extremely
> powerful systems, designed to serve 1000's of users in a huge
> variety of network environments. Consider whether you really need AFS.
> If you just want everything in LDAP, you should be able to set up Samba
> servers that auth against an LDAP backend.  You could cut Kerberos and
> AFS out altogether then, at the cost of slightly less password security
> on the wire.
>
> --Todd
>
>
>