Re: Absolute Basic question Kerberos/LDAP
- From: Allen Kistler <ackistler@xxxxxxxxx>
- Date: Thu, 25 Sep 2008 11:28:27 -0500
Tom wrote:
Hello folks!
As I am just setting up once again a Samba PDC, I was just once again confronted with Kerberos and LDAP as an authentication alternative to the samba-password file-method.
once again i asked wikipedia about those service.
once again actually i did not really understand
- what those services actually do - not as a theory, but what it means in practice!
LDAP is a hierarchical database, usually called a directory. A directory is just like what it sounds. It's a phone book. It's a list of names and some info about the things that have those names. You need someplace to keep a list of your users, right?
Kerberos is an authentication mechanism. Just because I might say I'm Abraham Lincoln doesn't mean I actually am Abraham Lincoln. If Abraham Lincoln is a valid user (say, because he's listed in the directory) and he has access to something (like a web service or a file service), that something should have a way to make me have to prove I'm Abraham Lincoln (which, of course, I should fail, since I'm not) then be able to make an access decision based on success or failure.
- what the difference between kerberos and ldap are and why they seem somehow to be linked with each other
They aren't necessarily linked. Kerberos needs a list of valid users and their passwords/certificates/whatever. It also needs a list of access-controlled services (the things that are going to ask you to authenticate before they let you in). It doesn't have to be LDAP, but LDAP is pretty handy, especially if you've got lots of users and/or lots of services. You can, of course, store other stuff in LDAP, too, like email addresses, phone numbers, and organizational info (the stuff LDAP was actually originally invented to store), but Kerberos doesn't care about those.
- if i would have any benefit from installing them on a server where i act as a pdc-fileserver.
Well, if you want to integrate with Windows systems (especially Win2k and later) or if you just want to Kerberize your file service, then AD-compatibility is a benefit.
If you just want Kerberos, NFSv4 also supports Kerberos. (Actually NFSv4 *requires* an authentication mechanism, and most/all implementations use Kerberos as that mechanism. Theoretically NFSv4 could use a mechanism that involves reciting secret chants and waving a rabbit's foot, but I'm not aware of any such implementations.) But most people use Samba instead of NFSv4 (conjecture based on perception, not assertion based on careful statistics), probably because there are more implementation notes/stories/howtos/etc. on it.
If you just want a fileshare for UNIX/Linux and if NFSv3 and earlier satisfy all your needs, then there's no benefit to Samba and Kerberos. Just use NFSv3 or earlier. Many people do.
so please: could anybody provide me some VERY BASIC infos about what this is all about?.
thank you very much for every peace of info/advice
- References:
- Absolute Basic question Kerberos/LDAP
- From: Tom
- Absolute Basic question Kerberos/LDAP
- Prev by Date: Absolute Basic question Kerberos/LDAP
- Next by Date: Re: Rate limiting with "tc"?
- Previous by thread: Absolute Basic question Kerberos/LDAP
- Next by thread: IPsec wifi link in ad-hoc mode
- Index(es):
Relevant Pages
|
