LDAP, SSO and Kerberos (was Re: [Gllug] LDAP)

Simon Stewart sms at lateral.net
Wed Sep 26 12:10:32 UTC 2001 

On Wed, Sep 26, 2001 at 12:44:31PM +0100, Alex Hudson wrote:
> On Wednesday 26 September 2001 11:47, you wrote:
> > Hang on, I've never said that you don't need Kerberos for SSO; all
> > I've said is that for simple authentication you _don't_ need
> > Kerberos --- a password will do.
> 
> No, I agree completely. I was just trying to clarify what I said - I didn't 
> mean to infer that Kerberos was needed/useful for anything other than SSO.

Oh right. SSO looks like it could well be a fun thing to play
with. But only if I can get the other clients in the office
authenticating against the (free) Kerberos server. For some reason not
everyone's using Linux on their desktop yet.

> > boxes have to try and take part in _our_ domain. Since you appear to
> > know what you're talking about, how easy is it to get a W2000 machine
> > to authenticate against an OpenLDAP server using MIT Kerberos?
> 
> You can't, not fully, because of the Microsoft extensions. Unfortunately, in 
> this case, Microsoft were probably fully within their rights to do what they 
> did, because Kerberos doesn't support everything that they needed. Kerberos 
> only does single sign-on - i.e., authentication. There is no standard for 
> distributed authorization yet, which is what Microsoft have built into Win2k. 
> It's pretty cool actually - NT & 2k have always been miles ahead of Unix in 
> terms of security infrastructure unfortunately :(

More's the pity. Ho hum. I'm sure that I'll be able to come up with
something, and it's not as if there are many "based on NT" (bont?)
users in the office. As long as things appear to stay the same, things
should be fine. An LDAP GINA might do the trick.

OS X looks like it'll be happy to use LDAP, so that's a plus. Must do
some more poking about, cos at some point we'll move at least some of
our users on to it.

> > Okay, point taken. I still trust my internal network while I'm testing
> > this stuff, though, and I still have a measure of security --- unless
> > someone decrypts my password they can only log on to those facilities
> > on the network that offer access via an MD5'd password sent over the
> > LAN.
> 
> Fair enough. I don't see why you're bothering to MD5 them, though ;P

Weak attempt not to bandy the word "chicken" about the LAN too much?

Cheers,

Simon

-- 
<dhd> even though I know what a 'one time pad' is, it still sounds like
a feminine hygiene product

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list