In article <[EMAIL PROTECTED]>, Mr J.A. Gilbertson <[EMAIL PROTECTED]> wrote: >On Thu, 8 Nov 2007, Ken Raeburn wrote: > >Do you know of any other method whereby we would be able to effectively >let Kerberos delegate the authentication step to LDAP, and then carry on >as if that part had been done itself? >
All kerberos does is authentication. There have been some efforts to use LDAP as the back end data store for a KDC, but I don't know how successful they are. Doing it in a reasonably secure fashion would also require some very careful work. I think the heimdal code has some experimental support for this. Most sites that use LDAP and Kerberos either use Active Directory ( which more or less has this integration already) or use kerberos for authentication and LDAP for authorization. There is a sync process usually that creates accounts for users in both services. I don't think there is really any practical way to use LDAP username/password authentication inside of kerberos. Mostly since the password never leaves the local machine in the kerberos protocol. There's a project out there that attempts to duplicate all of Active Directory with open source software. I've forgotten the name (padl.com ?), but you might look at that to understand what's available and the underlying problem. _ Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
