1 |
Kerberos only provides an authentication mechanism, not UNIX user and |
2 |
group services ie. UIDs, GIDs, home directories, etc. LDAP can provide |
3 |
both. If you were to use Kerberos, you'd have to still maintain your |
4 |
LDAP + SSL setup so that UNIX user and group services continue to work. |
5 |
|
6 |
Jose Gonzalez Gomez wrote: |
7 |
|
8 |
> |
9 |
> Hi there, |
10 |
> |
11 |
> I'm about to create a central directory service for users in my |
12 |
> company, I've been reading a lot and right now I think I have a real |
13 |
> acronym soup headache. My main requirement is to be able to have a |
14 |
> central repository of users, so if I want to create a new user, I only |
15 |
> do it in just a place. Creating a new user means giving that user |
16 |
> rights to use several services (login, mail, proxy,...), so I don't |
17 |
> have to create a user in /etc/passwd, then create a user in the mail |
18 |
> server, ... Other requirements include the possibility of using the |
19 |
> user information as an address book (this is easy as long as the |
20 |
> information is stored in LDAP). |
21 |
> |
22 |
> Right now I'm using the following (only login and mail tested): |
23 |
> |
24 |
> * PAM + LDAP. Users may login once I have created an entry for that |
25 |
> user in the LDAP directory. |
26 |
> * Postfix + SSL + SASL + saslauthd/ldap. Users outside my local |
27 |
> network are able to send mails to the world once they have |
28 |
> authenticated. Postfix also uses the information stored in LDAP to |
29 |
> accept incoming mail. |
30 |
> * Courier-IMAP + SSL + LDAP authentication. Users are able to access |
31 |
> their IMAP mailboxes after they have authenticated using the |
32 |
> information stored in the LDAP server. I'm thinking about |
33 |
> migrating this to Cyrus IMAP + SSL + SASL + saslauthd/ldap to |
34 |
> mimic the postfix setup. |
35 |
> |
36 |
> I then found information about kerberos, so I don't know if I |
37 |
> should go that way, or stay with this setup (this is the time to |
38 |
> experiment, once this is put into production I won't have the |
39 |
> possibility to change it easily). Are there any advantages of using |
40 |
> kerberos over using just SSL + LDAP? In case I use kerberos, would I |
41 |
> have duplicate information in the kerberos database and in LDAP? May I |
42 |
> use LDAP as a backend for the kerberos password database? I don't know |
43 |
> that much about kerberos, so forgive me if I'm making any stupid |
44 |
> question. |
45 |
> |
46 |
> Thanks in advance, regards |
47 |
> Jose |
48 |
> |