I'm truly a noob when it comes to Kerberos so I apologize in advance if my
questions do not make much sense. I'm looking to propose a recommendation for
my company to implement Kerberos v5 authentication in combination with LDAP
authorization. We are currently using Sun ONE Directory Server for simple bind
authentication and authorization. I would like to know the following:
1) For web applications that currently rely upon LDAP for password info, it is
my understanding that implementing Kerberos would require the password field
for each user authenticating to the web app to be modified with an entry
similar to the following: '{kerberos} [EMAIL PROTECTED],' at which point the
Kerberos client would take over authentication. Is this a valid statement? Is
it truly transparent to the web apps if the password mechanism is changed from
simple bind to Kerberos?
2) Does SASL-GSSAPI using Kerberos provide me with any benefit other than
enabling LDAP servers to securely authenticate with one another for replication
purposes, or is it also the mechanism that enables the LDAP server to
authenticate to KDC, similar to when a client using PAM_krb5 authenticates to
KDC when requesting LDAP services ? Does anyone know if Sun One Directory 5.1
or 5.2 come with SASL-GSSAPI plug-in or would I need to purchase the PADL
product?
3) Is anyone familiar with Turbo Fredriksson's document "Implementing LDAPv3:
OpenLDAP, Kerberos v5 and glue code for distributed data?" Is this the best
model for integrating LDAP and Kerberos v5?
Your comments to above are appreciated.
-Mike
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
