Fedora directory users - Oct 2005 - Question about Kerberos and FDS

Hi,

I''ve read the white paper "Red Hat Identity Management
and Security Solutions", and on page 13, it said that
Red Hat Directory Server supports a variety of
authentication standards and technologies, including:

- ...
- Kerberos tickets via SASL/GSSAPI
- ...

What does that exactly mean? Does that mean RHDS can
issue kerberos ticket out of the box? Or does that
mean I need to setup a kerberos server and use RHDS as
the backend for user information?

And this one:
- Impersonation (proxy) for multi-tier client
applications.

Could someone explain what does it mean and how can it
be used?

Thanks a lot

sz



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/

speedy zinc wrote:
>Hi,
>
>I''ve read the white paper "Red Hat Identity Management
>and Security Solutions", and on page 13, it said that
>Red Hat Directory Server supports a variety of
>authentication standards and technologies, including:
>
>- ...
>- Kerberos tickets via SASL/GSSAPI
>- ...
>
>What does that exactly mean? Does that mean RHDS can
>issue kerberos ticket out of the box?
>
No.
>Or does that
>mean I need to setup a kerberos server and use RHDS as
>the backend for user information?
>  
>
Yes.  When you use kinit to acquire your ticket, you can use that ticket 
to authenticate to the directory server.
>And this one:
>- Impersonation (proxy) for multi-tier client
>applications.
>
>Could someone explain what does it mean and how can it
>be used?
>  
>
Sure.  This is most often used with web apps or other apps that set up a 
pool of connections to the directory server.  Each connection in the 
pool is bound as a proxy user.  When a real user wants to authenticate, 
the proxy connection passes the real user''s bind credentials to the 
directory server using the proxy auth control.
>Thanks a lot
>
>sz
>
>
>
>		
>__________________________________ 
>Yahoo! Music Unlimited 
>Access over 1 million songs. Try it free.
>http://music.yahoo.com/unlimited/
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Thanks for replying.

--- Rich Megginson <rmeggins@redhat.com> wrote:
> >Or does that
> >mean I need to setup a kerberos server and use RHDS
> as
> >the backend for user information?
> >  
> >
> Yes.  When you use kinit to acquire your ticket, you
> can use that ticket 
> to authenticate to the directory server.
>
So, if I understand what you''re saying, the directory
server is acting as the TGS?

I''m going to setup a kerberos tonight. Which one works
better with FDS? MIT or Heimdal?
 
> >And this one:
> >- Impersonation (proxy) for multi-tier client
> >applications.
> >
> >Could someone explain what does it mean and how can
> it
> >be used?
> >  
> >
> Sure.  This is most often used with web apps or
> other apps that set up a 
> pool of connections to the directory server.  Each
> connection in the 
> pool is bound as a proxy user.  When a real user
> wants to authenticate, 
> the proxy connection passes the real user''s bind
> credentials to the 
> directory server using the proxy auth control.
> 
Oh, ok. I was thinking about something else :)

sz



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors'' Choice 2005 
http://mail.yahoo.com

speedy zinc wrote:
>Thanks for replying.
>
>--- Rich Megginson <rmeggins@redhat.com> wrote:
>
>  
>
>>>Or does that
>>>mean I need to setup a kerberos server and use RHDS
>>>      
>>>
>>as
>>    
>>
>>>the backend for user information?
>>> 
>>>
>>>      
>>>
>>Yes.  When you use kinit to acquire your ticket, you
>>can use that ticket 
>>to authenticate to the directory server.
>>
>>    
>>
>
>So, if I understand what you''re saying, the directory
>server is acting as the TGS?
>  
>
No.  You have to set up the usual Kerberos TGS.  The directory server 
merely uses the tickets, like any other server/service.
>I''m going to setup a kerberos tonight. Which one works
>better with FDS? MIT or Heimdal?
>  
>
I''m not sure.  The instructions we have in our docs are geared towards 
MIT, but Heimdal may work just fine.
> 
>  
>
>>>And this one:
>>>- Impersonation (proxy) for multi-tier client
>>>applications.
>>>
>>>Could someone explain what does it mean and how can
>>>      
>>>
>>it
>>    
>>
>>>be used?
>>> 
>>>
>>>      
>>>
>>Sure.  This is most often used with web apps or
>>other apps that set up a 
>>pool of connections to the directory server.  Each
>>connection in the 
>>pool is bound as a proxy user.  When a real user
>>wants to authenticate, 
>>the proxy connection passes the real user''s bind
>>credentials to the 
>>directory server using the proxy auth control.
>>
>>    
>>
>
>Oh, ok. I was thinking about something else :)
>  
>
It can also mean chaining.  You can set up the directory server to use 
another directory server as a database - what we refer to as a chaining 
backend or database in our docs.  The use of a directory server to act 
as a "front-end" to another directory server is also called a proxy.
>sz
>
>
>
>	
>		
>__________________________________ 
>Yahoo! Mail - PC Magazine Editors'' Choice 2005 
>http://mail.yahoo.com
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

--- Rich Megginson <rmeggins@redhat.com> wrote:
> No.  You have to set up the usual Kerberos TGS.  The
> directory server 
> merely uses the tickets, like any other
> server/service.
>
Got it.
 
> >Oh, ok. I was thinking about something else :)
> >  
> >
> It can also mean chaining.  You can set up the
> directory server to use 
> another directory server as a database - what we
> refer to as a chaining 
> backend or database in our docs.  The use of a
> directory server to act 
> as a "front-end" to another directory server is also
> called a proxy.
> 
Hmm... so what''s the purpose of chaining directory
server? Wouldn''t use a read-only replica better
in this case?

thanks

sz



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/

>>Hmm... so what''s the purpose of chaining directory
>>server? Wouldn''t use a read-only replica better
>>in this case?
>>
>>    
>>
Chaining is complementary to replication : chaining allows you to
leave the data where it is and take the query to the data,
which might be more efficient than moving the data.

It''s also possible (by possible, I mean you might need to write code)
to play various proxy tricks when chaining :
multiplex operations onto a cluster of storage servers; re-write
the operations as they pass through; aggregate results from
multiple source servers; and so on.

Mind you, proxying and chaining are not commonly used in my experience,
compared to replication.