[SATLUG] RE: kerberos

[David Kowis]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Justizin wrote:
> On 11/30/06, David Kowis <dkowis at shlrm.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Bruce Dubbs wrote:
>> > John Pappas wrote:
>> >
>> >> Is LDAP over SSL a solution to handle the transport security problem?
>> >
> 
> The problem is not transport security, it's the size of the trust network.
> 
>> > I believe that is one option.  Another is SASL -- or a combination.
>> >
>> >   -- Bruce
>>
>> I've done LDAP over a tls certificate based system. it works well enough
>> for pam_ldap and nss_ldap. I use a host based certificate, so each host
>> has it's own cert for establishing the TLS stuff. I looked into ldap +
>> kerberos, but it was too much of a PITA for me and my lonesome.
>>
> 
> I can see how properly encrypted LDAP communications are rather
> secure, but consider that I will more or less need to hand out access
> to a database of a half million plus people to innumerate application
> developers at all levels of an international organization.  Right now,
> Plone, which is going to be our core, encrypts passwords in such a way
> that I can reset them, but not read them.  If you lose your password,
> much like with Yahoo or any other online service, you have to have a
> confirmation e-mail sent.

In a huge community kerberos will help. It provides standard
authentication mechanisms for any number of things. You'll have to do
coding no matter what for applications that don't have kerberos support
either optional or built in. But for a Single Sign on type thing
kerberos will do well. Or if you need to authenticate over an unsafe medium.

> 
> The ACM has very stringent policies on privacy, security, etc..  We
> are also a huge community, so I'm trying to serve both.  I am going to
> provide Chapters, SIGs, etc.. with a ton of tools to build web
> presences using Plone, but some of them will want to use Rails or PHP
> or CFM or whatever, and that's fine.  I want them to be able to use a
> simple, accessible means of determining if a given id is a non-paying
> "web account", an ACM Member, a SIG Member, and/or a member of one or
> more Chapters.
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQGVAwUBRXCFksnf+vRw63ObAQqHfAv/VzbS/S98jaAC22wXpQxv87mTUkW0+Nqf
czRIrKHxH8YtJgcgsY5nWzj7p2Jr+zYpkz8WEo3oQlfTv0Kxi5034CgmEoQgIKOr
KdvG/deactiOewx8fCcJLUQMDhpT3gNYMTSLYoafQDswVAMAevkmJKSZMEzoWrfm
DXaaDEEaIdSiEMdgbVyHCnzeLrxL3q/JZKPY4NLVvdxbCi8pSx7ybB1PDzgANMJ2
NGGItPwnV6GhIFZ1PrVS7JX7hcAGuQnDAGf3PNsGg2sKd2vgBsaSZ6efr5ds17Sz
2VQty84XzlG4Is2qE2Ed5l4SUkvPT1vMlEhfCL/qZ9J+ANgP3ttVuy1o6vOVnBRJ
U3cphj7VBwRyGxelViUNFgU4VL7liDfHCyRDEeAwHXb1mirKBndHOwKsQPB6bdOq
ssAe6RMgddPIRtgqxjrKjJ/4d+mViU2CB6UMZYfseUExPndeKG9ifIcnwVxZDQxk
ZUu5y5H6eVVN72VUXINyUr3KCDJxHYzg
=/sZ+
-----END PGP SIGNATURE-----