unified authentication

[Robert Watson]

On Wed, 24 Sep 2003, Jesse Guardiani wrote:

> > My current preference in new installs is to use Kerberos5 for
> > authentication and LDAP for account information.  If you're willing to
> > throw SSL into the mix, a lack of "kerberization" isn't such a problem --
> > you basically end up using Kerberos5 as a distributed password mechanism
> > for non-Kerberized clients.  I.e., using IMAP over SSL, SMTP over SSL,
> > etc.
> 
> And that's more or less what I was thinking of doing here, except it
> wouldn't be IMAP and SMTP (because that is already handled by my mail
> server's MySQL database), but Kerberos as a distributed password
> mechanism for SSH, Apache .htaccess, Cisco routers, etc... 
> 
> Does that work well with FreeBSD 4.8? Or would I need to use 5.x to
> deploy Kerberos5 in that manner? 

Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
due to a lack of complete NSS support--to do this directly, you'd need to
run 5.x.  My understanding is that some sites dump their LDAP databases to
NIS databases and share them on the FreeBSD side using NIS, which is also
a reasonable (if less secure) solution.  If you just want to use Kerberos5
for password sharing, 4.x should be no problem at all.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories