Tuesday Jul 13, 2004

Java_ES Direcory Server and Kerberos services

Active Directory (AD) offer LDAPV3 and use Kerberos to store the passwd.
Java_ES DS storae passwd inside the LDAP DIT tree and if you want to use Kerbeors to store passwd then one need to write a  preop plugins to interact with KDC for authentication.

Many Usiversity use MIT Kerberos to store passwd, SUN EDU LOB did fund a project for Univ user to write a plugin to service this purpose.
There are many contributed to this project: Michael Gettes, Jeremy Rumpf duke Extension to krbdirp By Bob Carter  

Many user prefer SUN come out with an official Plugins so one can use kerberos to store Passwd.
Original  goal of funding this project is  for SUN DS group to see the demand of this plugins and may come out with an official one.

In DS 5.2 there is a feature  and demonstration How one can use SASL to interaction with kerberos services.
The problems are , in order to use this feature, all the clients need to be modified and need to know SASL.
This is exactly what cyrus project provide.

So even through there is a SASL interface in DS5.2, but not very practical, because very few clients can take advantage this feature.

We have ask the DS PM to add this feature but the answer is " no business case".
IMHO, if AD provide this feature, and MSFT service 90% of PC users, This is good enough Business case


Thursday Jun 10, 2004

problem with incorrect documentation on LDAP Naming Service

Problem with the RTFM

recently I try to help a customer on a problem on LDAP and kerberos integration problem

In the process, we try to setup Native LDAP as Name Service (Solaris 9). After we run the idsconfig to setup the server by following the document on the http://docs.sun.com, it all seems fine.

When we try to use ldapclient to configure the client, our problem started all the example on the client setup are incorrect, we finally need to follow the man page on ldapclient (if we ASSUME that it is correct) and it work?!

May be there is a correct already done by some patches, but we get this document from the current solaris 9 04/04 online document

Using Profiles to initialize a client

ldapclient -p new -d west,example.com 192.168.0.0

sould be

ldapclient init -a profileName=new 192.168.0.1

proxy credentials

ldapclient -p profilename -D cn=proxyagent,ou=profile,dc=west,dc=example,dc=com -d west.example.com -p pitl -w test1234 192.168.0.0

should be

ldapclient init -a profleName=default -a proxyDN=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com -a proxyPassword=test1234 192.168.0.1

Manually

ldapclient -i -d dc-west,example.com -c dc-west,dc=example,dc=com \\ -D cn=proxyagent,ou=profile,dc=west,dc=example,dc=com -w testtest 192.168.0.0

should be

ldapclient manual -a proxyDn=cn=proxyagent,ou=profile,dc=west,dc=example,dc=com -a proxyPassword=testest 192.168.0.1

Modifying Manual Client configuration

ldapclient -m -a simple

should be

ldapclient modify -a authenticationMethod=simple

About

hstsao

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today