[OpenAFS] OpenAFS and LDAP

Douglas E. Engert deengert@anl.gov
Wed, 10 Mar 2004 08:56:59 -0600


"gug.ml" wrote:
> 
> Hello,
> 
> First sorry for my poor english :(
> 
> So, i have got an OpenLdap server that authenticate user
> through TLS. I'm not using a kerberos server.
> I'd like taht openAFS contact the ldap server in order to have
> 
> the login/pass and authorize (or not) the client to mount
> (/home/ or other).
> 
> Can openAFS do it ? (without kerberos)
> and if you ve got a web site ;)

Yes it can be done without Kerberos and use X509 certificates
and TLS. GSI implements a GSSAPI mechanism that uses X509 
certificates and TLS to authenticate. The gssklog program on the 
client uses the gssapi to authenticate to the gssklogd running on 
the AFS database servers. The gssklogd returns an AFS token to the client. 

gssklog can be used with any GSSAPI SO if you have so other
implementation it should work. It also works with Kerberos GSSAPI
implementations such as MIT, Heimdal, SEAM and Microsoft SSPI.
And it runs on Windows. 

So with AFS you don't need a kaserver, but still need the PTS
or some replacement for it. The AFS token is still Kerberos, but the
user never sees this, only the gssklog program which passes it off
to the kernel. 

In effect the gssklogd is issuing AFS tokens which are in effect Kerberos
tickets used internally by AFS only. 
 

  

See:ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
    ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.tar
    http://www.globus.org/security/
  


> 
> thanks in advance
> benoit.
> 
> sorry for my poor english
> 
> Accédez au courrier électronique de La Poste : www.laposte.net ;
> 3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444