Nicolas GRENECHE wrote:
I need tu replace an old NIS with a topnotch OpenLDAP server.
I would like to add SSO support on my brand new architecture.
2 scenarii may occur :
1) Using pam_kerberos to authentaicate against KDC and retreiving
information from LDAP server with SASL.
The backward is that anyone (or anything) that need to authenticate MUST
be kerberos aware.
You mean that any LDAP client must be Kerberos aware? Certainly clients don't
need to know anything about Kerberos for pam_kerberos to work. And Kerberos in
LDAP is just a matter of using SASL, the Kerberos details are handled by GSSAPI.
2) Having LDAP and Kerberos passwords synced.
Asset : You can authenticate through LDAP or kerberos (pam_ldap required
an pam_kerberos optional) ie you must authenticate against LDAP and if
Kerberos autentication success you get a TGT !
Backward : Two password databases to protect / lot of work on client
side / passwords must be synced (Do you now materials to do it ?).
This doesn't seem to offer any actual benefits over (1). But as a matter of
course, I would use a Heimdal KDC backed by OpenLDAP, in which case there is
only one password database for both.
I add that security is not a major concern for us and we got many OS
client side that's why the 1st solution may not fit our needs.
Has someone ever experienced the second solution ?
Have you some hints and feedbacks ?
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/