[Gllug] LDAP and Kerberos

John Edwards john at cornerstonelinux.co.uk
Tue Jan 31 16:23:05 UTC 2006


On Tue, Jan 31, 2006 at 04:03:02PM +0100, Dani Pardo wrote:
> En/na Simon Morris wrote:
>> So - having logged into the network you now have a TGT to present to 
>> other services running "kerberised" services. These services could be 
>> SMTP, IMAP, SMB etc.
> 
>  Mm.. sounds like pam, but over the network and controlled via a 
> central "brain" and based on tickets. Cool.
>  I've readen that this protocol was written on the 80's, the v2 and v3 
> were bloated, and v4 had security flaws. So v5 should be considered 
> *the* kerberos. What surprises me is.. does it really has been Microsoft 
> the first to make a *broad deployment* of Kerberos with AD? Or I've been 
> living under a rock?

Solaris had Kerberos (without LDAP) before Windows 2000, including 
NFS and the rsh tools (rlogin, rcp, etc). The problem was that 
Kerberos was not easy to deploy on a heterogeneous network, eg 
one that included such horrors as PC/NFS (NFS for DOS).

OpenBSD has also had Kerberos available, though I'm not sure to 
what extent it's service included it by default.


> I mean, I have the impression that has always been here, and now it's 
> not as easy as adding pam-kerberos to /etc/pam.d/* and "Voila! Single 
> sign on and cental authentication!". 

Not all systems are able to run PAM, and some you would not want to run 
PAM (eg Apache). Then you either need to compile with Kerberos support 
(eg SSH) or use a module (Apache).


> Or is there any project going into that direction?

RedHat Linux used to have Kerberos as a tick box in their setup 
utility, and I'ld guess that Fedora and 


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
|                                                         |
| A. Because it breaks the logical sequence of discussion |
| Q. Why is top posting bad ?                             |
#---------------------------------------------------------#
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list