Re: using ldap as heimdal backend

[Gémes Géza <geza@kzsdabas.sulinet.hu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lara Adianto írta:
| Hi Geza,
|
| Will it work in Linux platform as well ?
| I have read the HOWTO on the link you provided actually.
| But it doesn't really satisfy me :-)
|
| kdc#* ldapsearch -L -h localhost -D cn=manager \**
|  -w secret** -b ou=KerberosPrincipals,dc=padl,dc=com \
|  'objectclass=krb5KDCEntry'*
|
| Does it mean that we MUST use simple bind ?

Yes, but it is over a 700 mode uid 0 and gid 0 socket file , so it is
not less secure, than accessing a root owned file based kerberos
database. Anyway kerberos is a protocol designed to solve the problem of
some secure hosts connected by an insecure network. So if your KDC
machine gets compromised anything is lost no mather if you are using
LDAP or not.

| Thank you,
| lara
| */Gémes_Géza <geza@kzsdabas.sulinet.hu>/* wrote:
|
| Lara Adianto írta:
| | Hi,
| |
| | This is probably a basic question but well, I haven't
| | got any satisfactory information on the net, so I post
| | it anyway here.
| |
| | I read somewhere in the net that using ldap as the
| | backend of heimdal might degrade the security feature
| | of kerberos. Is this right ? If yes, then in which
| | situation will we prefer to use ldap backend instead
| | of the local dbase ?
| |
| | Using ldap as the heimdal's backend, how would the
| | search be conducted through ldap ? With simple bind ?
| | SASL mechanism ?
| |
| With proper access control lists defined in ldap configuration the risk
| is minimal. The LDAP connection is realized over a UNIX domain socket,
| so Heimdal and LDAP server must run on the same host.
| Recomended reading:
| http://www.padl.com/Research/Heimdal.html


Cheers,

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAcubc/PxuIn+i1pIRAgJ7AJ4rmptXAyYHr7AB1LieD1N0SjC+aACggpgz
LQTG5R0+5V7Z/E0nPl2Dc6E=
=gCV1
-----END PGP SIGNATURE-----