[OpenAFS] Problems installing openafs on Solaris9

Douglas E. Engert deengert@anl.gov
Thu, 04 Sep 2003 09:40:10 -0500


Nathan Neulinger wrote:
> 
> It should be possible to write an 'sslklog' similar to the gssklog stuff
> that Engert has written that would manufacture an appropriate
> ticket/token, but that would all have to be written from scratch.

Not really. If you have a GSSAPI that can use the LDAP database, then
you almost have it. 

The Globus GSI which has a GSSAPI, uses the OpenSSL handshake, but uses 
X509 certificates.  

The real security concern is how is the ldap password protected in transmision
from client to server and how is the token then protected when sent from 
the server to the client, The gss_wrap was used, as the token is not encrypted. 


   

> 
> -- Nathan
> 
> On Thu, 2003-09-04 at 06:00, Petter Lindquist wrote:
> > On Wed, 3 Sep 2003, Jerome Walter wrote:
> >
> > > Unfortunately, you cannot store the passwords in the LDAP database. Passwords
> > > have to be stored in AFS database or Kerberos database. LDAP does only store
> > > accounting information, such as unix uid, shell, gecos and so on ...
> > > I think you do not want people to have two passwords, so you should use
> > > pam_afs for authentication, and nss_ldap to get the accounting information.
> >
> > Hmm.. We store passwords in LDAP for all other systems we are using, and
> > we can not use afs for loggin into some web applications we have.
> >
> >
> > > To create the users in the afs database, see bos createuser (for superusers)
> > > and pts creatuser/creategroup/adduser/membership.
> >
> > creating users in afs wouldn't be a problem, but it would be very nice to
> > have all passwords in the same database.
> >
> >
> > > Please do not be confuse, groups and ids in the AFs database are only
> > > considered in the AFS space, and the unix environment do not get this
> > > information for local use. You have to have an unix id in your LDAP, and it is
> > > a good idea to get the same AFS and unix Ids.
> >
> > That doesn't seem to be any problem at all.
> --
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul@umr.edu
> University of Missouri - Rolla         Phone: (573) 341-4841
> UMR Information Technology             Fax: (573) 341-4216
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444