[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KerberLDAP (Re: openbsd yp security)

On Fri, Jan 31, 2003 at 02:07:35AM -0500, Chuck Yerkes wrote:
> Quoting dreamwvr_(_at_)_dreamwvr_(_dot_)_com (dreamwvr_(_at_)_dreamwvr_(_dot_)_com):
> >  Great thread! Speaking of alternately. Anyone doing kerberos 
> > with LDAP? Just curious and inquiring mind and all that.
> I've actually muttered "Kerberos" to Kurt Zeilenga to be
> a pest and he jumped in agreement.  LDAP is a DIRECTORY
> protocol, not an authentication protocol.
Yippers. Lightweight but being asked to do more Heavyweight
duties all the time. It seems anyhow. Well suppose speed would
be its greatest asset. Plus the idea of a worldwide tree 
hierarchy from what I understand of it. Thought Kerberos 
would be a good thing as well. IIR the university of 
Michigan has a implementation that has LDAP with Kerberos.
That is why I had thought it might be a way to go.
> The way we authenticate is to take the username/password
> and bind to the LDAP server with those.  If it works
> the username/password pair worked.
Yes base pairings. How does it determine rebinds? 
Then sheath it with SSL for sure. 
> So this means that you want to bind to the LDAP server
> over a secure connection.  I've used pocket networks and
> clear text [pocket network: a very private network on another
> interface - often a slave LDAP server that's dedicated to that
> chunk of infrastructure (email for me)].
pocket networks really don't know the term till now.. still
don't really know the term. 
> Given that my boxes often had a long term relationship with
> the LDAP server(s), IPSEC can make sense.  The sort of worse
> case is the most common case of LDAP/SSL.  Very expensive and
> LDAP servers don't benefit too much from rainbow cards for
> these very short lived connections.  Cleartext is not an
> acceptable option ever.  YP is even better than that <shudder>.
again rainbow cards? Well don't know the term:)
> Back to point: Kerberos is hard for many sites.  Its setup is
> documented pretty poorly and there aren't really good GUI
> tools for the average system admin in 2003.  K developers I
> knew have offered that basically once you set it up, you don't
> really want to go back and make tools to make that setup better
> because your done.  This, I think, has been the biggest reason
> that 14 years after Kerberos came about it's still not in
> common use.
Good point. Well taken. However it would be nice since one 
knows your LDAP structure and can IIR pair it off for 
networks that are trusted or not. Would it not be rather
clean to do kerberos for trusted and otherwise not? 
providing a less trusted approach for other cases?
Seems like an idea anyhow.  
> Kerberos also doesn't quite work right for several apps I've
> dealt with.  What jumps to mind first is Web Mail.  PROPERLY,
> you'd have your Kerberos ticket, your browser would pass the
> that to the web server and you'd be logged in through that.
Now that would be a nice to have in certain circumstances.
Using kerberos tickets instead of cookies not that would be interesting.
> (this also requires that you be on a "known" computer and part
> of the server's realm).  Realistically, people type their
> username/password over the net (with SSL we hope).  The
> application passes that information to the IMAP server.  The
> IMAP server that supports Kerberos usually takes username/password
> and try to get a kerberos ticket - if it works, then it lets
> you get mail.  This is not the kerberos model.
point taken.
> So you might as well use LDAP for authentication.  You're not
> really giving anything up.
Not sure. My current thoughts are to an extent that LDAP would 
be definate improvement for transparency with many OSes playing
nice in the same authentication env. Well now to try it with
OpenBSD. Hey thanks for the stream.

Best Regards,

/*  Security is a work in progress - dreamwvr                 */
# Note: To begin Journey type man afterboot,man help,man hier[.]      
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]