| 1 |
Kerberos only provides an authentication mechanism, not UNIX user and |
| 2 |
group services ie. UIDs, GIDs, home directories, etc. LDAP can provide |
| 3 |
both. If you were to use Kerberos, you'd have to still maintain your |
| 4 |
LDAP + SSL setup so that UNIX user and group services continue to work. |
| 5 |
|
| 6 |
Jose Gonzalez Gomez wrote: |
| 7 |
|
| 8 |
> |
| 9 |
> Hi there, |
| 10 |
> |
| 11 |
> I'm about to create a central directory service for users in my |
| 12 |
> company, I've been reading a lot and right now I think I have a real |
| 13 |
> acronym soup headache. My main requirement is to be able to have a |
| 14 |
> central repository of users, so if I want to create a new user, I only |
| 15 |
> do it in just a place. Creating a new user means giving that user |
| 16 |
> rights to use several services (login, mail, proxy,...), so I don't |
| 17 |
> have to create a user in /etc/passwd, then create a user in the mail |
| 18 |
> server, ... Other requirements include the possibility of using the |
| 19 |
> user information as an address book (this is easy as long as the |
| 20 |
> information is stored in LDAP). |
| 21 |
> |
| 22 |
> Right now I'm using the following (only login and mail tested): |
| 23 |
> |
| 24 |
> * PAM + LDAP. Users may login once I have created an entry for that |
| 25 |
> user in the LDAP directory. |
| 26 |
> * Postfix + SSL + SASL + saslauthd/ldap. Users outside my local |
| 27 |
> network are able to send mails to the world once they have |
| 28 |
> authenticated. Postfix also uses the information stored in LDAP to |
| 29 |
> accept incoming mail. |
| 30 |
> * Courier-IMAP + SSL + LDAP authentication. Users are able to access |
| 31 |
> their IMAP mailboxes after they have authenticated using the |
| 32 |
> information stored in the LDAP server. I'm thinking about |
| 33 |
> migrating this to Cyrus IMAP + SSL + SASL + saslauthd/ldap to |
| 34 |
> mimic the postfix setup. |
| 35 |
> |
| 36 |
> I then found information about kerberos, so I don't know if I |
| 37 |
> should go that way, or stay with this setup (this is the time to |
| 38 |
> experiment, once this is put into production I won't have the |
| 39 |
> possibility to change it easily). Are there any advantages of using |
| 40 |
> kerberos over using just SSL + LDAP? In case I use kerberos, would I |
| 41 |
> have duplicate information in the kerberos database and in LDAP? May I |
| 42 |
> use LDAP as a backend for the kerberos password database? I don't know |
| 43 |
> that much about kerberos, so forgive me if I'm making any stupid |
| 44 |
> question. |
| 45 |
> |
| 46 |
> Thanks in advance, regards |
| 47 |
> Jose |
| 48 |
> |
Archives