[OpenAFS] OpenAFS and LDAP

[J. D. Nurmi]

I stand corrected *sheepish grin*


On Wed, 2004-03-10 at 09:56, Douglas E. Engert wrote:
> "gug.ml" wrote:
> > 
> > Hello,
> > 
> > First sorry for my poor english :(
> > 
> > So, i have got an OpenLdap server that authenticate user
> > through TLS. I'm not using a kerberos server.
> > I'd like taht openAFS contact the ldap server in order to have
> > 
> > the login/pass and authorize (or not) the client to mount
> > (/home/ or other).
> > 
> > Can openAFS do it ? (without kerberos)
> > and if you ve got a web site ;)
> 
> Yes it can be done without Kerberos and use X509 certificates
> and TLS. GSI implements a GSSAPI mechanism that uses X509 
> certificates and TLS to authenticate. The gssklog program on the 
> client uses the gssapi to authenticate to the gssklogd running on 
> the AFS database servers. The gssklogd returns an AFS token to the client. 
> 
> gssklog can be used with any GSSAPI SO if you have so other
> implementation it should work. It also works with Kerberos GSSAPI
> implementations such as MIT, Heimdal, SEAM and Microsoft SSPI.
> And it runs on Windows. 
> 
> So with AFS you don't need a kaserver, but still need the PTS
> or some replacement for it. The AFS token is still Kerberos, but the
> user never sees this, only the gssklog program which passes it off
> to the kernel. 
> 
> In effect the gssklogd is issuing AFS tokens which are in effect Kerberos
> tickets used internally by AFS only. 
>  
> 
>   
> 
> See:ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
>     ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.tar
>     http://www.globus.org/security/
>   
> 
> 
> > 
> > thanks in advance
> > benoit.
> > 
> > sorry for my poor english
> > 
> > Accédez au courrier électronique de La Poste : www.laposte.net ;
> > 3615 LAPOSTENET (0,34¤/mn) ; tél : 08 92 68 13 50 (0,34¤/mn)
> > 
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info