[OpenAFS-devel] Apache Directory Server as the Kerberos realm, oh, and more.....
Jim Doyle
rockymtnmagic@yahoo.com
Thu, 26 Feb 2009 22:39:09 -0800 (PST)
I know of Heimdahl, and Win Adv Server implementations, but has anyone
taken the plunge with Apache DS 1.5 ?
Here's the birds eye summary of what it's capable of and why OpenAFS folk
ought to keep an eye on this:
http://directory.apache.org/apacheds/1.5/apacheds-v15-advanced-users-guide.html
Ten years later :: Welcome to the New DCE. LDAP Directory, DNS, Kerberos and Time - all in one box ; with support for replication for HA. The UI admin too (Apache DS Studio) looks nice too.
I could see some immediate ways to leverage this to OpenAFS. Obviously, the Krb5 KDC and Password Change server is a big win and ANYTHING, Dear God!!, ANYTHING can outdo the kadmin tool.
Further, one ought to be able to "relatively easily" synchronize the ptserver from LDAP. The simplest approach would be to use the "LDAP triggers" to catch CRUD event and pump them to PTS. One could make life very simple by using a forked shell wrapper to pts with -localauth to save much headache with tokens and what not. Assuming, of course, that the ApacheDS runs on the same box as the AFS ptserver.
The question begs.... Could you simply do away with the PTSERVER and VLDB and put these databases in LDAP ? C-API LDAP client code with kerberos 5 support has long been there - so this is an "attainable" idea.
-- Jim (old cranky AFS and DCE hacker turned J2EE applications architect)