Single sign-on infrastructure (FC5 wish)

Bernardo Innocenti bernie at develer.com
Thu Jun 23 01:10:29 UTC 2005 

Charles Lopes wrote:

>> So Heimdal can use an LDAP data store? Sweet. Thanks so much for your
>> post.  I've wanted MIT krb5 to do this (in a non hacky way) for ages.
>>
>>
> A data abstraction layer (DAL) patch that does just that has been just
> been committed to the cvs of MIT KDC.

I just did a "cvs update" from MIT's repository and... yes!
Now it's there.

But where is the LDAP backend?  Does one exist yet?  Does it work
already?  Is it compatible is it with Heimdal's hdb.schema?

(ok, too many questions :-)



> Also I believe heimdal can (or will be able to) use the LDAP attribute
> "sambaNTPassword" as a arcfour-hmac-md5 kerberos key. I haven't tried
> MIT KDC+DAL (or heimdal for that matter) but I guess that the raison
> d'être of DAL being its possible use alongside future versions of samba,
> it's likely to support the same feature.

Looking at Samba 4 sources, and reading around posts by
Andrew Tridgell, it seems the focus for Samba isn't to
interoperate with OpenLDAP and Heimdal (or MIT).

Instead, they're integrating some parts of Heimdal and rewriting
a lightweight LDAP server with as much functionality as it's
needed for ADS support.

Andrew says that 99% of sites just want to get the ActiveDirectory
domain controller to work and don't know or care anything about
full blown Kerberos and LDAP servers.

I think he's basically right, altough I'm one of those 1% users
who would be hit by this route of action.


> In a related note, my hardest headache is renewing keys for users that
> have home directories access via NFS4+krb5. We could not get
> "gnome-kerberos" or "xscreensaver" to do it, so we keep a terminal
> window open so that kinit can be run there. Am I missing something?

So someone actually got NFS4 + GSSAPI to work!!!  Could you please
elaborate?  I went through applying CITI's kernel and userland
patches, with very little luck.


> Also is the new kernel keyring facility planned for FC5 inclusion?

Shouldn't that patch first be submitted to a kernel maintainer?
Last time I checked, outstanding NFSv4 patches were (slowly)
being included in official kernels through -mm.

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/

More information about the fedora-devel-list mailing list