On Mon, 04 Oct 2004 10:55:49 +0800 sam <[EMAIL PROTECTED]> wrote: > Hi, > > I m not sure which kerberos I should use. With Heimdal, it is a > thread-safe implementation, while MIT's kerberos is not. > > Please correct me if I m wrong, it appears that there is more > applicatoins support MIT kerberos than Heimdal. > > I basically want to use kerbeors as a SSO server and allows various > internet/network service to securely authenticate with > users. Applications I would like to be kerberized is samba, apache, > email (ldap).. > > So which kerberos should be used to avoid future difficulty of > integration with the above application?
Heimdal does not have a functioning replay cache, so if your app needs that you must go with MIT. MIT also seems to be more actively developed. (That's not to say that heimdal doesn't get worked on.) Most software these days still depends on MIT, however porting to heimdal is pretty easy. What my site does is use the heimdal server and MIT clients. And local apps (client or server) are all built against MIT. We use heimdal for the PK-INIT support. If heimdal is thread-safe, that's news to me. You shouldn't care if the apps you plan to use are off the shelf (sounds that way). Apache kerberization is a long hard road. You're much better off going with pubcookie or some such system. http://middleware.internet2.edu/webiso/ is a good page that points to lots of web sso software. Samba? good luck there as well. I don't understand why you wrote 'email (ldap)', what does ldap have to do with sso for email? Anyway, email kerberization is relatively easy, but for the end-user, relatively non-eventful since every mail client will store the user's password for them (and you can do imaps or imap with digest auth to protect the secrets). LDAP kerberization is also fairly well handled these days (but again, little to do with email authentication as such). Summary: I'd stick with MIT. /fc ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
