Raffaele Sandrini <[EMAIL PROTECTED]> writes: > LDAP: This is deffinitly a cool method. Its very simple and very secure due > its high SSL encryption. And through the possibility of NSS_LDAP virtually > every application will automatically support that and due the nature of LDAP > you are able to store all sort of information about the user in the LDAP > tree.
(I know fairly little about this; my main concerns would be (a) forcing everything to use SSL, if you really care about this, and (b) readily getting passwd entries with crypted password strings that an attacker could run a dictionary attack against. But for all I know, LDAP might have a good way of addressing these.) > KerberosV5: Also a somewhat simple method. Also (very) secure. Has a > different approach (its ticket system). Is fully compatible with > AFS. Perhapps compatible with other systems like Win32. But you > still need a passwd file to store special user data, right? Kerberos only tries to deal with the problem of matching usernames and passwords; it doesn't include any support for propagating things like /etc/passwd. You'd need some other way to distribute this sort of data; MIT uses Hesiod (which these days is a slightly hackish layer on top of DNS), but LDAP could probably also fill this niche. Kerberos also addresses the problem of authenticating yourself to various services; if your mail server is compromised and you just have password authentication, the attacker now has your password and can get access to other things, where a compromised Kerberos-using server only has authenticators that are specific to that server. (You're still really hosed if your master KDC is compromised.) > AFS: The old approach. Somewhat secure. Is also (no, really? :-) ) > compatible with AFS. It uses a modified Krbv4 system. It should be > also very protable through all sorts of Unixes and Win32. Need of a > passwd file. AFS doesn't include its own authentication layer. It does have its own user database (via ptserver), but underneath authentication and encryption are done using Kerberos 4. > Conclusion: Out of this information i would prefer the LDAP Approach > but what is if you want to use AFS as distributed filesystem and > LDAP as user-database? Then you need to maintain 2 user-databases or > is there a way to get AFS working with LDAP? I don't know of anything tying AFS/Kerberos/LDAP (or any pair involving LDAP) directly together, but this doesn't mean it doesn't exist. MIT has its own local glue layer (Moira), from which practically everything else is generated. I don't think this has been released into the wild, or really wants to be. But if you're a Large Site, doing something like this is probably the way to go. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]