Frank Cusack wrote: > On Mon, 04 Oct 2004 10:55:49 +0800 sam <[EMAIL PROTECTED]> wrote: > >>Hi, >> >>I m not sure which kerberos I should use. With Heimdal, it is a >>thread-safe implementation, while MIT's kerberos is not. >> >>Please correct me if I m wrong, it appears that there is more >>applicatoins support MIT kerberos than Heimdal. >> >>I basically want to use kerbeors as a SSO server and allows various >>internet/network service to securely authenticate with >>users. Applications I would like to be kerberized is samba, apache, >>email (ldap).. >> >>So which kerberos should be used to avoid future difficulty of >>integration with the above application? > > > Heimdal does not have a functioning replay cache, so if your app > needs that you must go with MIT. MIT also seems to be more actively > developed. (That's not to say that heimdal doesn't get worked on.) > > Most software these days still depends on MIT, however porting to > heimdal is pretty easy. > > What my site does is use the heimdal server and MIT clients. And > local apps (client or server) are all built against MIT. We use > heimdal for the PK-INIT support. > > If heimdal is thread-safe, that's news to me. You shouldn't care > if the apps you plan to use are off the shelf (sounds that way). > > Apache kerberization is a long hard road. You're much better off > going with pubcookie or some such system. > http://middleware.internet2.edu/webiso/ is a good page that > points to lots of web sso software. > > Samba? good luck there as well. > > I don't understand why you wrote 'email (ldap)', what does ldap > have to do with sso for email? Anyway, email kerberization is > relatively easy, but for the end-user, relatively non-eventful > since every mail client will store the user's password for them > (and you can do imaps or imap with digest auth to protect the > secrets). LDAP kerberization is also fairly well handled these > days (but again, little to do with email authentication as such). > > Summary: I'd stick with MIT. > > /fc Thank you very much for your suggestion. I think I will use Heimdal as a server as well.
Thanks Sam ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
