[OpenAFS] OpenAFS and LDAP

Douglas E. Engert deengert@anl.gov
Wed, 10 Mar 2004 10:09:13 -0600 

"J. D. Nurmi" wrote:
> 
> I stand corrected *sheepish grin*

I did not mean to correct you, but to indicate that there are
other options. The gssklog with GSI is not ldap, but does show 
that there are other ways to get a token without a Kerberos realm. 
 


> 
> On Wed, 2004-03-10 at 09:56, Douglas E. Engert wrote:
> > "gug.ml" wrote:
> > >
> > > Hello,
> > >
> > > First sorry for my poor english :(
> > >
> > > So, i have got an OpenLdap server that authenticate user
> > > through TLS. I'm not using a kerberos server.
> > > I'd like taht openAFS contact the ldap server in order to have
> > >
> > > the login/pass and authorize (or not) the client to mount
> > > (/home/ or other).
> > >
> > > Can openAFS do it ? (without kerberos)
> > > and if you ve got a web site ;)
> >
> > Yes it can be done without Kerberos and use X509 certificates
> > and TLS. GSI implements a GSSAPI mechanism that uses X509
> > certificates and TLS to authenticate. The gssklog program on the
> > client uses the gssapi to authenticate to the gssklogd running on
> > the AFS database servers. The gssklogd returns an AFS token to the client.
> >
> > gssklog can be used with any GSSAPI SO if you have so other
> > implementation it should work. It also works with Kerberos GSSAPI
> > implementations such as MIT, Heimdal, SEAM and Microsoft SSPI.
> > And it runs on Windows.
> >
> > So with AFS you don't need a kaserver, but still need the PTS
> > or some replacement for it. The AFS token is still Kerberos, but the
> > user never sees this, only the gssklog program which passes it off
> > to the kernel.
> >
> > In effect the gssklogd is issuing AFS tokens which are in effect Kerberos
> > tickets used internally by AFS only.
> >
> >
> >
> >
> > See:ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
> >     ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.10.tar
> >     http://www.globus.org/security/
> >
> >
> >
> > >
> > > thanks in advance
> > > benoit.
> > >
> > > sorry for my poor english
> > >
> > > Accédez au courrier électronique de La Poste : www.laposte.net ;
> > > 3615 LAPOSTENET (0,34¤/mn) ; tél : 08 92 68 13 50 (0,34¤/mn)
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444