[OpenAFS] Authentication Mechamisms

Derek Atkins warlord@MIT.EDU
05 Jan 2002 21:20:20 -0500


Nope.  Currently AFS only supports using KAServer (the AFS
authentication server) or Kerberos.

One thing you might consider is using eDirectory for account
information but using Kerberos for your network authentication
system.  It's certainly much more secure than using eDirectory
directly.

It would be like storing most of /etc/passwd in eDirectory,
but the actual "password" information in Kerberos.

-derek

"Donavan Pantke" <avatar@dcr.net> writes:

> This is a multi-part message in MIME format.
> 
> ------=_NextPart_000_0996_01C19627.61BAFD60
> Content-Type: text/plain;
> 	charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> I'm looking at putting in a shared Filesystem setup at my
> company, but I really started looking at the authentication system in =
> NFS
> and said ick! :) Anyway, I was looking over the authentication mechanism =
> in
> AFS, and I really didn't want to maintain yet ANOTHER username/password
> listing. That's the biggest reason I'm implementing a Novell eDirectory =
> tree
> to handle that. My question is that I have PAM modules and such that
> authenticate users against the eDirectory, is there any way I can get =
> AFS to
> use eDirectory or any similar directory (LDAP, etc) to get it's
> authentication token? This way, I can simply use the username in =
> eDirectory,
> and don't have to worry about using the AFS auth database. Or, maybe =
> just as
> well, is there an AFS auth server that simply looks things up in an
> LDAP-type directory for it's info?
> 
> 
> ------=_NextPart_000_0996_01C19627.61BAFD60
> Content-Type: text/html;
> 	charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Diso-8859-1">
> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
> <STYLE></STYLE>
> </HEAD>
> <BODY bgColor=3D#d8d0c8>
> <DIV><FONT face=3DArial size=3D2><FONT face=3D"Times New Roman" =
> size=3D3>I'm looking at=20
> putting in a shared Filesystem setup at my<BR>company, but I really =
> started=20
> looking at the authentication system in NFS<BR>and said ick! :) Anyway, =
> I was=20
> looking over the authentication mechanism in<BR>AFS, and I really didn't =
> want to=20
> maintain yet ANOTHER username/password<BR>listing. That's the biggest =
> reason I'm=20
> implementing a Novell eDirectory tree<BR>to handle that. My question is =
> that I=20
> have PAM modules and such that<BR>authenticate users against the =
> eDirectory, is=20
> there any way I can get AFS to<BR>use eDirectory or any similar =
> directory (LDAP,=20
> etc) to get it's<BR>authentication token? This way, I can simply use the =
> 
> username in eDirectory,<BR>and don't have to worry about using the AFS =
> auth=20
> database. Or, maybe just as<BR>well, is there an AFS auth server that =
> simply=20
> looks things up in an<BR>LDAP-type directory for it's=20
> info?</FONT><BR></FONT></DIV></BODY></HTML>
> 
> ------=_NextPart_000_0996_01C19627.61BAFD60--
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available