Fedora directory users - Jun 2005 - What implementation of Kerberos prefered?

Hi all,

I would like to know what implementation of Kerberos is prefered to
setup SASL/GESSAPI with Fedora DS: MIT or Heimdal?

Thanks for your comments.

Sam

Sam Tran wrote:
>I would like to know what implementation of Kerberos is prefered to
>setup SASL/GESSAPI with Fedora DS: MIT or Heimdal?
>  
>
It was developed tested and is supported with MIT (or the OS vendor''s
native krb implementation in the case of other OS''es, which I believe
are all derived from MIT).
Doesn''t mean that it won''t work ok with Heimdal of course.

On 6/29/05, David Boreham <david_list@boreham.org>
wrote:
> Sam Tran wrote:
> 
> >I would like to know what implementation of Kerberos is prefered to
> >setup SASL/GESSAPI with Fedora DS: MIT or Heimdal?
> >
> >
> It was developed tested and is supported with MIT (or the OS
vendor''s
> native krb implementation in the case of other OS''es, which I
believe
> are all derived from MIT).
> Doesn''t mean that it won''t work ok with Heimdal of
course.
> 
Has anyone implemented FDS with Heimdal.

Heimdal allows you to store the user passwords in LDAP. Is there a
password change mechanism for that situation?

Thanks.
Sam

Sam Tran wrote:
>On 6/29/05, David Boreham <david_list@boreham.org> wrote:
>  
>
>>Sam Tran wrote:
>>
>>    
>>
>>>I would like to know what implementation of Kerberos is prefered to
>>>setup SASL/GESSAPI with Fedora DS: MIT or Heimdal?
>>>
>>>
>>>      
>>>
>>It was developed tested and is supported with MIT (or the OS
vendor''s
>>native krb implementation in the case of other OS''es, which I
believe
>>are all derived from MIT).
>>Doesn''t mean that it won''t work ok with Heimdal of
course.
>>
>>    
>>
>
>Has anyone implemented FDS with Heimdal.
>
>Heimdal allows you to store the user passwords in LDAP. Is there a
>password change mechanism for that situation?
>  
>
There is a "ldap backend" for Heimdal, but it uses the non-standard 
ldapi interface (e.g. LDAP through a unix domain file based socket 
rather than a TCP/IP socket).  You would have to port that code to use 
an ldap or ldaps interface for use with FDS.

Otherwise, I''m not sure if GSSAPI supports a password change mechanism.
If so, you could do this through FDS.
>Thanks.
>Sam
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

>There is a "ldap backend" for Heimdal, but it uses the
non-standard ldapi interface (e.g. LDAP through a unix domain file based socket
rather than a
>TCP/IP socket).  You would have to port that code to use an ldap or ldaps
interface for use with FDS.
That''s not hard to change, but I would prefer to see someone add
ldapi://
to FDS :-)
>Otherwise, I''m not sure if GSSAPI supports a password change
mechanism.  If so, you could do this through FDS.
GSS-API does not deal with acquiring initial credentials or changing
passwords. In order to maintain password synchronization, you need to
ensure that the set of Kerberos keys and directory user passwords is
kept synchronized.

In our XAD identity server, we have a SLAPI plugin that intercepts
LDAP password change requests (either RFC 3062, NMAS, or LDAP updates
of the userPassword/unicodePwd attributes) and generates a user''s key
set for Kerberos, Digest, etc. I believe Symas wrote a similar plugin
that works with the Heimdal LDAP backend but I''m not sure whether it
is generally available.

-- Luke

--

Luke Howard wrote:
>>There is a "ldap backend" for Heimdal, but it uses the
non-standard ldapi interface (e.g. LDAP through a unix domain file based socket
rather than a
>>TCP/IP socket).  You would have to port that code to use an ldap or
ldaps interface for use with FDS.
>>    
>>
>
>That''s not hard to change, but I would prefer to see someone add
ldapi://
>to FDS :-)
>  
>
It''s on our wishlist.
>  
>
>>Otherwise, I''m not sure if GSSAPI supports a password change
mechanism.  If so, you could do this through FDS.
>>    
>>
>
>GSS-API does not deal with acquiring initial credentials or changing
>passwords. In order to maintain password synchronization, you need to
>ensure that the set of Kerberos keys and directory user passwords is
>kept synchronized.
>  
>
Ok.  That''s what I thought.
>In our XAD identity server, we have a SLAPI plugin that intercepts
>LDAP password change requests (either RFC 3062, NMAS,
>
What''s NMAS?
>or LDAP updates
>of the userPassword/unicodePwd attributes) and generates a user''s
key
>set for Kerberos, Digest, etc. I believe Symas wrote a similar plugin
>that works with the Heimdal LDAP backend but I''m not sure whether
it
>is generally available.
>  
>
Symas has a few extensions that are not available (yet?) with OpenLDAP.
>-- Luke
>
>--
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>