LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   LDAP and Kerberos the right tools? (http://www.linuxquestions.org/questions/linux-software-2/ldap-and-kerberos-the-right-tools-445350/)

labratmatt 05-16-2006 10:54 AM

LDAP and Kerberos the right tools?
 
Here's the problem:
I've got a number *nix machines that I work on often and each time I log on to each one of them, I have to enter my uid/pass for authentication. I have a couple of other people that do the same thing with unique uids/passes.

Here's what I'd like to be able to do:
Sign on to one computer once, then be authenticated to my network so that when I SSH to the other machines, I don't have to enter my uid/pass again.

Notes:
Each machine has the spame user account, but each one has a different pass for the user account (for security purposes). The authentication method needs to be secure.


Any one have a suggestion? I think I've read that Kerberos with LDAP might be able to solve this problem, but I'm not quite sure how it would work or if they are the right tools for the job. Thanks for your help.

ataraxia 05-16-2006 02:24 PM

You can do this with just Kerberos. You don't need LDAP, unless you want to automate maintaining /etc/passwd. Sounds like you don't have enough users to make LDAP worth the effort.

OpenSSH supports using Kerberos credentials to log in, and forwarding those credentials to the remote host (search for "GSSAPI" in the OpenSSH documentation for more details).

labratmatt 05-16-2006 02:28 PM

So why do people use LDAP if Kerberos alone will work? Does LDAP simply let you do the same thing on a larger level? Thanks!

ataraxia 05-16-2006 02:32 PM

Quote:

Originally Posted by labratmatt
So why do people use LDAP if Kerberos alone will work? Does LDAP simply let you do the same thing on a larger level? Thanks!

LDAP is good for several things:
  • Keeping track of a bunch of data about people
  • Providing a central repository for data, that can be queried remotely
  • Generating other forms of the data (like passwd and group files)
  • Doing specific authorization for certain users (requires apps to understand LDAP)

So yes, LDAP is good for larger scale setups. Kerberos by itself just does basic authentication - a user can prove identity, but it doesn't say anything else about that user.

vinodkumarmj 05-30-2006 10:46 AM

i have configured ldap and i do not know what is the need for having the kerberos authentication along with ldap? and how to configure the kerberos authentication.


All times are GMT -5. The time now is 09:43 PM.