I continue to get feedback from my kerberos blog post. I got this one mentioning interesting alternatives:
Greetings from Ecuador. I've read your post on Kerberos and LDAP. I've setup several interoperatibility schemes with Kerberos and LDAP in the past. You can actually build a single sign-on domain controller for a mixed Linux/Windows environment using Heimdal and OpenLDAP. You need to store your principals in LDAP. This is easy and Heimdal as well as MIT (though I've only done that with Heimdal) allows to do so. You can use both OpenLDAP and 389 Directory Server (formerly Fedora DS) which runs in Debian nicely. 389 might as well give you a break with the password policies, overlays for syncing Samba-POSIX-Kerberos password and all other uncomfortable stuff of Kerberos + LDAP. pam-ccreds has proven a little bit like nscd: seems good on paper but you start to feel the heat when you bring it to practice. While I've made it work in the past, it brings newer security problems. I recall on 2007 I deployed a Debian-based distribution in over 6K workstations for Venezuela's main power utility, and ccreds worked nicely. If you unplugged the network cable while xscreensaver was on, you could log in just by pressing Enter. And, believe me, any combination of the PAM parameters made pam-ccreds unusable. So, try to use another PAM module for non-delayed non-networked authentication for roaming. I'd be glad to share any other experience with you and the people over at Skolelinux. Just let me know, and have a nice day. - -- José Miguel Parrella Romero (bureado.com.ve) PGP: 0×88D4B7DF Debian Developer Caracas, VE/Quito, EC Posted here with his approval. Anyone with opinions on which Kerberos implementation we should use? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100420050124.gd28...@login1.uio.no