[OpenAFS-devel] Authentication Mechamisms

Derek Atkins warlord@MIT.EDU
06 Jan 2002 12:07:45 -0500 

No, currently AFS can only use the KAServer or Kerberos for
authentication.  There is no LDAP backend for the authentication.
You _CAN_ use LDAP for user login information (e.g. username,
GECOS, homedirectory, shell, etc.) but you still need to use
Kerberos for the actual _authentication_.

Basically you have a single key into two databases:

username -+-> LDAP -+----> Real Name
          |         +----> Home Directory
          |         +----> Shell
          |         +----> Office
          |         +----> Phone
          |         +----> etc.
          +-> Kerberos --> authentication (password)

The whole point of Kerberos is to _protect_ the password so that
you don't need to propagate it to everywhere.  A server does not
need access to the users' "password" in order to authenticate them.

I hope this helps.

-derek

"Donavan Pantke" <m_ithil@hotmail.com> writes:

>     I have a question that may be developer-level, let em know if this is
> the wrong list. :) I'm looking at putting in a shared Filesystem setup at my
> company, but I really started looking at the authentication system in NFS
> and said ick! :) Anyway, I was looking over the authentication mechanism in
> AFS, and I really didn't want to maintain yet ANOTHER username/password
> listing. That's the biggest reason I'm implementing a Novell eDirectory tree
> to handle that. My question is that I have PAM modules and such that
> authenticate users against the eDirectory, is there any way I can get AFS to
> use eDirectory or any similar directory (LDAP, etc) to get it's
> authentication token? This way, I can simply use the username in eDirectory,
> and don't have to worry about using the AFS auth database. Or, maybe just as
> well, is there an AFS auth server that simply looks things up in an
> LDAP-type directory for it's info?
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available