[OpenAFS] OpenAFS and LDAP
Douglas E. Engert
deengert@anl.gov
Wed, 10 Mar 2004 08:56:59 -0600
"gug.ml" wrote:
>
> Hello,
>
> First sorry for my poor english :(
>
> So, i have got an OpenLdap server that authenticate user
> through TLS. I'm not using a kerberos server.
> I'd like taht openAFS contact the ldap server in order to have
>
> the login/pass and authorize (or not) the client to mount
> (/home/ or other).
>
> Can openAFS do it ? (without kerberos)
> and if you ve got a web site ;)
Yes it can be done without Kerberos and use X509 certificates
and TLS. GSI implements a GSSAPI mechanism that uses X509
certificates and TLS to authenticate. The gssklog program on the
client uses the gssapi to authenticate to the gssklogd running on
the AFS database servers. The gssklogd returns an AFS token to the client.
gssklog can be used with any GSSAPI SO if you have so other
implementation it should work. It also works with Kerberos GSSAPI
implementations such as MIT, Heimdal, SEAM and Microsoft SSPI.
And it runs on Windows.
So with AFS you don't need a kaserver, but still need the PTS
or some replacement for it. The AFS token is still Kerberos, but the
user never sees this, only the gssklog program which passes it off
to the kernel.
In effect the gssklogd is issuing AFS tokens which are in effect Kerberos
tickets used internally by AFS only.
See:ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.tar
http://www.globus.org/security/
>
> thanks in advance
> benoit.
>
> sorry for my poor english
>
> Accédez au courrier électronique de La Poste : www.laposte.net ;
> 3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444