[SATLUG] RE: kerberos

Al Castanoli afcasta at texas.net
Mon Dec 4 06:01:02 CST 2006 

On Thu, 2006-11-30 at 08:35 -0600, Justizin wrote:
> On 11/29/06, Mark McCoy <realmcking at gmail.com> wrote:
> 
> >
> >
> > I'll second the recommendation to move away from openldap to one of the
> > netscape derivatives like Fedora or Sun DS (basically the same product).
> > The management tools included with these LDAP's are very well done (a little
> > clunky at first, but they grow on you).  I haven't tried to bring up
> > openldap in any sort of production environment (with replication and all
> > that), but I know first hand that replicating with Sun's DS is dead simple
> > and rock solid (and I assume that the Redhat/Fedora one is as well, since
> > they are based on the same code).
> 
> Plone will be our directory manager. ;)
> 
> I know a lot of people using OpenLDAP in the enterprise, but if FDS
> and others are worth looking at, we will look at them.  We could just
> pretty much flip a switch and have Oracle offer LDAP, but then LDAP
> wouldn't be a road away from Oracle.
> 
> Anyway, this is really not answering my question.  We will manage to
> get LDAP running, I'm sure, no problem, in fact, this is not even my
> job.  Someone else will do it at my behest.
> 
> What I'm trying to sort out is how to authenticate off of LDAP,
> because LDAP is not an authentication protocol, and it is not secure.
> 
> With Kerberos, for one, we could replace LDAP with anything, any time
> we want, because PAM looks to kerberos and kerberos looks to
> /etc/nsswitch.conf.
> 
> I'm just curious if kerberos is overkill and if I can avoid giving
> hundreds of application developers read access to my password database
> without forcing them to deal with kerberos. ;)
> 
> -- 
> Justizin, Independent Interactivity Architect
> ACM SIGGRAPH SysMgr, Reporter
> http://www.siggraph.org/

I don't understand this ... We've been using Oracle LDAP servers for
years in my server farm, and the only developer I allow access to the
thousands of passwords we have in the database is the project manager.
Why would hundreds of application developers have read access to your
password database?

Al Castanoli

More information about the SATLUG mailing list