[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using ldap as heimdal backend



Hi Geza,

Will it work in Linux platform as well ?
I have read the HOWTO on the link you provided actually.
But it doesn't really satisfy me :-)
 
kdc# ldapsearch -L -h localhost -D cn=manager \
 -w secret
-b ou=KerberosPrincipals,dc=padl,dc=com \
 'objectclass=krb5KDCEntry'
 
Does it mean that we MUST use simple bind ?
 
Thank you,
lara
Gémes_Géza <geza@kzsdabas.sulinet.hu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lara Adianto írta:
| Hi,
|
| This is probably a basic question but well, I haven't
| got any satisfactory information on the net, so I post
| it anyway here.
|
| I read somewhere in the net that using ldap as the
| backend of heimdal might degrade the security feature
| of kerberos. Is this right ? If yes, then in which
| situation will we prefer to use ldap backend instead
| of the local dbase ?
|
| Using ldap as the heimdal's backend, how would the
| search be conducted through ldap ? With simple bind ?
| SASL mechanism ?
|
With proper access control lists defined in ldap configuration the risk
is minimal. The LDAP connection is realized over a UNIX domain socket,
so Heimdal and LDAP server must run on the same host.
Recomended reading:
http://www.padl.com/Research/Heimdal.html

Cheers,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAcq/H/PxuIn+i1pIRAj9SAJ48k8Cl2qlsV3ZTAzD9iHFPH+PWcgCgldEY
DTJpzqQ8Vde5yYzBCYMPf8I=
=XMTe
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------


Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today