f



RE: is that common to use kerberos authentication for SUN iplanet LDAP server?

You can use Sun's Directory server with non Sun kdc, you just have to
have SEAM (Sun's Kerberos) setup on the director server (ie - it needs
the client libs).  If you have an install on Solaris 9 or 10 I don't
even then you need to install anything - the Kerberos libs are already
there.  (You will have to run the directory server on a Solaris box).
See http://docs.sun.com/source/817-7613/ssl.html

-dan

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Kent Wu
Sent: Wednesday, August 31, 2005 3:29 PM
To: kerberos@mit.edu
Subject: is that common to use kerberos authentication for SUN iplanet
LDAP server?

Hi guys,

Does anyone have experience on this to share? 
I've set up a SUN LDAP server and it's running fine by 
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding 
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos 
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos..... 

   So I was thinking that if I can easily configure SUN LDAP to 
use MD5-digest then that should be the easiest however it seems 
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let 
me know if there are other easier ways to enable MD5-digest). 

   So my question is that is it pretty easy to enable Kerberos 
for SUN LDAP after installing SEAM? Or can SUN LDAP use other 
KDC as well? 	 

Thanks a lot in advance !

P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal 
however I kinda think it's an overkill since I don't really 
need to protect all the LDAP transactions except for the 
password part...

-Kent
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
drwachd (20)
9/1/2005 3:38:19 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
580 Views

Similar Articles

[PageSpeed] 32

Reply:

Similar Artilces:

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is directory server specific. Some directories (AD) support privacy and/or integrity protection. Others (Sun) don't, so you must use SSL. One other thing to be aware of is that clients and downgrade the privacy and integrity protection. If clients can do downgrade the data protection, it makes me wonder if an attacker can downgrade the session. I haven't looked into it enough. -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 1:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerber...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server? #2
Markus, I know SASL/GSSAPI can do encryption according to the document however I tried a while back to enable the encryption against AD while doing kerberos authentication in my C program but failed. Did you really enable the encryption successfully in the program? If so then I must have missing something then.... Thanks. -Kent -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 12:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerberos. > > We now have several processes that regularly use only GSSAPI/SASL over > SSL to authenticate and communicate wi...

is that common to use kerberos authentication for SUN iplanet LDAP server?
Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is that is it pretty easy to enable Kerberos for SUN LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? Thanks a lot in advance ! P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal however I kinda think it's an overkill since I don't really need to protect all the LDAP transactions except for the password part... -Kent ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kent Wu wrote: > > So my question is that is it pretty easy to enable Kerberos > for SUN LDAP after installing SEAM? Or can SUN LDAP use other > KDC a...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Unable to run SASL using GSSAPI/kerberos 5 as authentication against Sun One Directory Server
I am tring to run the same example that Microsoft has given for authentication. I am tring this sample against SEAM and not AD. FYI: I am able to run gssapi samples successfully. Also /var/Sun/mps/shared/bin/ldapsearch -o mech=GSSAPI -h blade -p 389 -o realm="quark.co.in" -o authzid="test@QUARK.CO.IN" -b "ou=people,dc=quark,dc=co,dc=in" objectclass=* runs well So I know that I do not have installing probs. Though I am abl to get the ticket still error.txt(attaches is the output) $klist Ticket cache: /tmp/krb5cc_1023 Default principal: test@QUARK.CO.IN Valid starting Expires Service principal Fri Feb 27 20:22:14 2004 Sat Feb 28 04:22:14 2004 krbtgt/QUARK.CO.IN@QUARK.CO.IN Fri Feb 27 20:26:52 2004 Sat Feb 28 04:22:14 2004 ldap/blade.quark.co.in@QUARK.CO.IN Any small hint shall also be of great use. ---------------------------Output at full log traceLevel----------------------------- ldap_open ldap_init nsldapi_open_ldap_connection nsldapi_connect_to_host: blade:389 sd 4 connected to: 10.91.198.100 ldap_open successful, ld_host is (null) LDAP service name: ldap@blade ==> client_establish_context Sending init_sec_context token (size=466)... 60 82 01 ce 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 01 bd 30 82 01 b9 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 01 01 61 81 fe 30 81 fb a0 03 02 01 05 a1 0d 1b 0b 51 55 41 52 4b 2e 43 4f 2e 49 4e a2 24 30 22 a0 03 02 01 03 a1 1...

Re: Re: Problem with LDAP Referrals and Kerberos LDAP Backend
Hello together, It seems that not much people use LDAP Referal together with MIT Kerberos. Never the less the missing support ("feature") is something I really need. Is it possible that anybody of the developers adds this functionality? If not: Greg, could you please precise the places or try to add it? I can do the necessary tests. Best regards Chris On 11/03/2013 03:13 PM, Christopher Racky wrote: > I don't understand why this behavior is expected. For my opinion this > is a bug. It's simplest to think of this as a missing feature. If I read the code correctly, callers of the OpenLDAP library follow referrals using anonymous binds by default. With additional effort, callers can control how referrals bind. Although I believe I know roughly how the preferred behavior could be implemented, it would not be trivial to develop or test, so I can't give you any guarantees as to when it might happen. - Hello Greg, Thank you very much for your reply. I don't understand why this behavior is expected. For my opinion this is a bug. I would expect that after processsing referrals the same credentials are still reused. Is that a missunderstanding on my side? If not: it seems to be, that you know very exactly the place where this must be fixed. I'm not sure if you are a developer. If yes, do ...

RE: Linux authentication using Kerberos and AD
Also, I believe that you must either put the user into NIS or the local files, you do not have to have a shadow entry in local files. I have not tried via NIS yet. On the MS side you do not need AD4Unix. You need to install the current service packs, if 2000 you need the high encryption pack, and Microsoft services for UNIX 3.5 I think is the current version. In the AD user management tool you need to go to the UNIX tab and add that user to NIS. Make sure the uid and gid match what you put into the passwd file. On your Linux client you need a ldap.conf something like this... host yourhost base dc=your,dc=ad,dc=domain ldap_version 3 binddn cn=yourldapauthorizedaccount,cn=Users,dc=your,dc=ad,dc=domain bindpw aboveuserspw pam_password ad nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember member nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup group nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute gecos displayName nss_map_attribute loginShell msSFU30LoginShell pam_login_attribute msSFU30Name pam_filter objectclass=User You need to configure your files in /etc/pam.d properly You need to add ldap to /etc/nsswitch.conf Of course you have to setup krb5.conf kdc.conf -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mi...

RE: Kerberos vs. LDAP for authentication -- any opinions?
Normally, it is not allowed client user to modify password, but LDAP server login admin user will be able to do it. Actually, LDAP server is an authentication service provider. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Harry Le Sent: Wednesday, January 28, 2004 2:30 PM To: kerberos@mit.edu Subject: RE: Kerberos vs. LDAP for authentication -- any opinions? Not entirely true. Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos V5 credentials to authenticate users against LDAP directories. This will not require users to change passwords. For data privacy, use SSL. Joseph -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Jeffrey Altman Sent: Wednesday, January 28, 2004 11:19 AM To: kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. cyberp70@yahoo.com wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything on > our network. Some ...

Re: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication
Hi all, We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We have found that if we set ChallengeResponseAuthentication yes in sshd_conf the result is no TGT ticket is created when a user logs in by ssh. This problem is detailed in a Debian bug report here; we don't see it having ever been fixed in redhat http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 Setting PasswordAuthentication yes does work, at least in our environment. If anyone has any further information on this we'd appreciate it. Cheers, Steve On Wed, Nov 11, 2009 at 11:2...

RE: Kerberos vs. LDAP for authentication -- any opinions? #2
Harry, others, The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited. I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user. I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ? LDAP server for user authentication - can be used to store password + other information about users. - useful for simple user authentication requirements where checking of password is all that is required. Kerberos for user authentication - uses security credentials which have a lifetime - LDAP does not have this capability - built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues - removes the need to pass any form of password across a network - LDAP requires password transmission - A protocol that alows support for userid/password, token card, smart card au...

RE: Kerberos vs. LDAP for authentication -- any opinions? #3
Peter, Thankyou for the explanation. I was trying to keep my answer relatively simple to avoid any unnecessary technical detail and hence over complicate the answer to the original question asked. Anyway, Kerberos is useful for more than just SSO (or SSSO) when comparing with LDAP, this is why I provided a long list of differences in my email. In fact LDAP and Kerberos are complimentary and not competitive technologies. Thanks, Tim. -----Original Message----- From: Peter Gietz [mailto:peter.gietz@daasi.de] Sent: 29 January 2004 16:58 To: Tim Alsop Cc: Harry Le; kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? Tim, Your view on LDAP may be a little too simplified. There is a whole variety of authentication mechanisms that you can use within LDAP, userdn/cleartext password (=simple bind) being only the most useless and unrecommended by the standards. The minimal recomendation is to use that simple bind within a TLS encrypted session, but there are other mechanisms in LDAP implementations which all use the SASL framewrk. The IMHO most important SASL mechanism are: - DIGEST MD5 a challenge response mechanism, where the actual password will not be sent through the net. This is also mandatory to implement in standard conforming LDAP - GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in this thread, and is implemented in at least some LDAP implementations, like OpenLDAP. Any other SASL mechanisms could also be used,...

Re: Is it required to use GSSAPI code for the Kerberos Server Auth?
Hi Team, Could you please let me know your thoughts on the below mentioned issue. Point #1 ---------- I am working on SA (Server Authentication) feature of Kerberos. - Is it required to port GSSAPI code for this feature of SA? - If so, where should I use this mechansim in kerberos client code? That means, between TGS_REP and AP_REQ? - What is the exact procedure to use the GSSAPI code? I am using MIT code and Linux Serevr (sendmail server, SMTP as the Application server, ie I need to do server authenticatio for that SMTP server. POINT#2: ---------- I tried by sending AP_REQ to SMTP server successfuly but I could not recevice the AP_REP successfuly. I think AP_REQ packet is not properly understood by SMTP server since I have not been using the GSSAPI code in my implementation. So should I port the GSSAPI code in to my code base and do SA?? POINT#3: ====== - Is the following statement reight? Kerberos Server Authentication is not supported by Windows 2003/2000 exchange SMTP server. Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server. Is this statement true???? Could you please throw some light on the same? Thank you, -Surendra ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Surendra Babu A wrote: > Hi Team, > > Could you please let me know your thoughts on the below mentioned issue. > > ...

Forcing the use of kerberos by ldap clients when connecting to an openldap server
Hello all, I have an openldap server that successfully authenticates against a kerberos setup: [jamie@janeiro ~]$ ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: jamie@example.com SASL SSF: 56 SASL installing layers dn:uid=jamie,ou=people,dc=example,dc=com Result: Success (0) When I do not put -Y GSSAPI in, I get: [jamie@janeiro ~]$ ldapwhoami ldap_sasl_interactive_bind_s: No such object (32) Is it possible to force the client or server to use GSSAPI for authentication, so I don't need to write it every time. In my slapd.conf file I have: TLSCertificateFile /etc/openldap/cacerts/newcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem .... sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid= $1,ou=people,dc=example,dc=com In particular this sasl-secprops is (according to the website I pilfered that line off) in theory will force the use of GSSAPI, but in practice it doesn't. The reason I wish to force GSSAPI is to make a java app I need to interoperate with use the right mechanism (i.e. GSSAPI), and hence authenticate against kerberos via LDAP rather than authenticate against ldap only. Thanks for any help. Jamie Actually I'm a putz, What I was trying to do would never have worked! authentication against LDAP using GSSAPI requires the user to have already signed into a kerberos realm and have a token. In my setup, that token was not available (the user never signs in), hence it'...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

Authenticate Using Multiple LDAPs Sun One Web Server
I am wondering if it is possible to configure Sun One Web Server to authenticate users against more than one LDAP server. For example, if a user is in either one of two LDAP servers (active directory or Aphelion), they will be granted access to the web site. B Dolley wrote: > I am wondering if it is possible to configure Sun One Web Server to > authenticate users against more than one LDAP server. For example, if > a user is in either one of two LDAP servers (active directory or > Aphelion), they will be granted access to the web site. Dear Mr. B :-) I'm not familiar with aph...

Authenticating Mac OSX 10.3.X to Kerberos using LDAP.
Hi, I am trying to allow students in the Mac lab to authenticate at the login prompt to Kerberos using LDAP. I followed the instructions on various web sites but the only way that I was able to log in with a valid kerberos username and password was if I created a local account with the same short uid name. I would like to avoid having to create local accounts and allow any student who has a valid keberos username and password to be able to login. We are not using AFS. Is there another way do this? I would appreciate any help you can provide. Thank you in advance and I look forward to hearing from you. Darin Pemberton Technical Specialist Barnard College, Columbia University. dpembert@barnard.edu, dp2128@columbia.edu 212-854-9096 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On 2005-07-20 10:55:51 -0500, dpembert@barnard.edu (Darin Pemberton) said: > Hi, > I am trying to allow students in the Mac lab to authenticate at > the login prompt to Kerberos using LDAP. I followed the instructions > on various web sites but the only way that I was able to log in with a > valid kerberos username and password was if I created a local account > with the same short uid name. There's a big misunderstanding. Authenticating over Kerberos using LDAP?? Why? Why not using just Kerberos? LDAP can be used for information retrieval like home...

RE: [LDAP] Speeding up authentication using ldap
On Mar 15, 2006 06:30am, davideyeahsure@onlyforfun.net wrote to All: > I have some 100 servers using openldap for authentication, the > servers are using various versions of RedHat (I don't think that is > important but what the hell...) the problem is that after entering the > password it takes about 30 seconds before giving the prompt. > After some digging and checking I find out that the problem is the > retrieval of the groups to which the user belongs. The nss library > run a search of the type [...] > As far as I can see in the sourc...

Re: [LDAP] Speeding up authentication using ldap #2
On 3/19/2006 1:43 PM, davideyeahsure@onlyforfun.net wrote to All: -> Every server use his own LDAP server to authenticate, if that is down, there -> are two 'backup' servers (the nearest). The same result is obtained even in a -> test environment with one server running the LDAP server on his own. Oh ok, so redundant LDAP servers then. On 2006-03-22, Robert Wolfe <robert.wolfe@net261.com> wrote: > Oh ok, so redundant LDAP servers then. Yes. No, I don't think that the problem is a slow connection to the server, as said, the same result is obt...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Re: Kerberos & LDAP
I am ok that we normally use the Kerberos to keep the password and LDAP is just for authorization. But then if my DNS Goes down, then no one can login to the system because Kerberos is highly dependent on the DNS and NTP. Thats why I am thinking of having the username and password in LDAP too. I am not allowing my DNS to crash but just in case. So preparing backup for disaster before it come to me. And for that I am looking somthing so that I can sync OpenLDAP and Kerberos username and password. Thanks, -- Prasad S. Wani ...

VPN using Kerberos authentication
I'm trying to set up the Cisco VPN on a PIX 515e, running 7.0(4)2 to use Kerberos authentication (via our Windows 2000 Server), using the Cisco VPN client. I got the VPN to work with both the local authentication (the local user database on the PIX), and with NT authentication, but what we really want is to use Kerberos authentication. I set up the VPN using the ASDM VPN Wizard, which seems to work great, other than this Kerberos issue, and so I'll only list the parameters (and the responses I give) on the Wizard page that deals with AAA. Field on the VPN wizard ...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

RE: Kerberos 4 Authentication
Yes, the kinit command fails saying bad password and klog succeeds. -----Original Message----- From: Jeffrey Altman [mailto:jaltman2@nyc.rr.com] Sent: Wednesday, September 28, 2005 11:03 AM To: Gurganus, Brant L Subject: Re: Kerberos 4 Authentication Gurganus, Brant L wrote: > Using Kerberos for Windows 2.6.5, I am trying to get a Kerberos 4 ticket > for cs.rose-hulman.edu (KDC: galaxy.cs.rose-hulman.edu). When I do so > with what I am 100% sure is a correct password, I get a bad password > error code. I double checked that the times on the client system and > the KDC are the same, and they are. Are there any other reasons that I > would get a bad password error code when the password is correct? I > have yet to find an answer in searching the Web. This KDC is an OpenAFS 1.0.4 kaserver. Does obtaining a TGT fail with kinit -4 user@CS.ROSE-HULMAN.EDU and succeed with klog user@cs.rose-hulman.edu with the same password? Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Gurganus, Brant L wrote: > Yes, the kinit command fails saying bad password and klog succeeds. > And is the password longer than 8 characters? Jeffrey Altman -- ----------------- This e-mail account is not read on a re...

Web resources about - RE: is that common to use kerberos authentication for SUN iplanet LDAP server? - comp.protocols.kerberos

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - http://diginfo.tv 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Online account security: lazy authentication is still the norm
Even in the high-tech world of 2016, crims will be able to side-step your account security by making a phone call and saying they're you.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 3/10/2016 10:34:21 PM