Single sign-on infrastructure (FC5 wish)
Bernardo Innocenti
bernie at develer.com
Thu Jun 23 00:28:43 UTC 2005
Alexander Boström wrote:
>> - Heimdal's KDC,
>
> I have Heimdal and Arla RPM:s that I've been meaning to try to get into
> Extras. See http:/ayo.sys.kth.se/kth/linux/4/i386/krbafs/ . (Binaries
> for RHEL4, but the SRPMS works with FC3 at least.)
I tried ARLA's Heimdal binaries before building it
from sources, but they were built without the LDAP
backend or something like that.
By the way, integrating Heimdal in Fedora isn't
as trivial as I had guessed. Heimdal's libkrb5
doesn't appear to be binary compatible with the
MIT version, and many libraries such as libkrb5support
and libgssapi_krb5 don't even exist.
Heimdal uses a few encryptations that clients linked
against the MIT libraries don't seem to support.
Actually, I'm not sure how to fix this as I couldn't
find clear documentation about supported encryptation
methods and how to configure the server and client
side to negotiate a commonly supported method.
Maybe I just need to study Kerberos a bit harder.
>> configured with the LDAP backend.
>
> I don't know how that works but I must say I'm very sceptical, mostly
> from a security standpoint. What's the advantage of doing it that way?
The main advantage is that you can add/remove/edit
an user account and its associated security information
from a single place.
I was also pleased to discover that Heimdal can (ab)use
NT hashes stored in sambaSamAccount objects, so I can
just use "smbpasswd" or even Windows tools to edit
POSIX, Samba and Kerberos passphrases at the same time.
Security is just as bad as letting Samba access the
LDAP database. I' musing the ldapi:// method with
a socket accessible to root only. I prefer this
over storing the LDAP manager password in a secret
file, although ldapi doesn't allow me to split Samba,
LDAP and KDC on different servers.
Using SASL GSSAPI wouldn't be an option, as Kerberos
can't use itself to authenticate to the LDAP service :-)
>> - I couldn't get password-less IMAP to work with
>> courier-imap because of limited SASL support.
>> Maybe I'd be more lucky with cyrus-imap
>
> Cyrus-IMAPd + Heimdal and Evolution + MIT-KRB play along nicely.
I use qmail as an MTA, and last time I checked cyrus-imapd
didn't support Maildir.
--
// Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/ http://www.develer.com/
More information about the fedora-devel-list
mailing list