[OpenAFS] users ldap?
Lawrence Greenfield
leg+@andrew.cmu.edu
Wed, 13 Nov 2002 14:21:35 -0500
From: Derrick J Brashear <shadow@dementia.org>
Date: Wed, 13 Nov 2002 11:16:35 -0500 (EST)
[...]
AFS pts, AFS kaserver, both, something else?
The answer is still "no" (at least for the first 2) but if you mean
something else I don't know what you're asking. pts has a database and
doesn't do external lookups. kaserver could be replaced but other than
Active Directory I don't know what LDAP server supports authentication.
To help clarify Derrick's answer, AFS derives authentication
information from a Kerberos service. It includes the "kaserver" which
is a suitable Kerberos 4 server. Many people use Heimdal's or MIT's
Kerberos 5 servers, and it should be possible to use Active
Directory's Kerberos 5 server.
AFS derives authorization (group) information from it's pt server. It
is currently not possible to replace pts with LDAP; the closest you
could come to would be a batch synchronization job between LDAP and
pts.
I think there would be a good amount of interest in a pt server
that did external lookups to LDAP. (AFS clients would continue to make
pt calls, which would then be translated to LDAP.)
I think there would also be interest in replacing pts with LDAP so
that AFS clients and servers used LDAPv3 to communicate about
authorization information, but this would be a more radical departure
from current AFS practice.
Larry