[Freeipa-devel] another snag with kerberos
Karl MacMillan
kmacmill at redhat.com
Thu Jul 19 12:55:20 UTC 2007
On Thu, 2007-07-19 at 13:42 +1000, Andrew Bartlett wrote:
> On Wed, 2007-07-18 at 23:02 -0400, Rob Crittenden wrote:
> > Andrew Bartlett wrote:
[...]
> >
> > > In these cases, you could authenticate the Apache/mod_auth_kerb by
> > > simply asserting your identity to LDAP over ldapi://
> >
> > We're supposed to be hiding the fact that LDAP exists. In any case, I'm
> > not sure how I can assert identity if I can't forward the ticket using
> > the browser.
>
> Personally, I think trying to hide LDAP is a poor way to start, and a
> lot of work to implement. Apple did that with their Open Directory, and
> ended up recreating all the LDAP APIs as open directory APIs. Sure, it
> let them swap in/out netinfo, but...
>
> Similarly in Samba, we have in Samba3 a PDB abstraction, to let us
> handle the smbpasswd, tdb and ldap backends. In many ways it just
> created more pain, particularly as we try and use the features of the
> LDAP backend.
>
> I thought that the RPC layer was just to batch up operations that need
> to be logically combined, but are not just one LDAP operation?
>
Just to be clear - we are not trying to prevent people from talking to
the LDAP server if that is what makes sense for them. By hide we more
mean avoid exposing LDAP details in any of the user interfaces that we
provide. We are mainly trying to avoid a common problem that I see with
GUIs on top of LDAP where all sorts of LDAP details show through (like
asking the user for a dn when adding users).
We are also planning on providing the xmlrpc layer that makes common
operations a little easier than raw LDAP.
So I think we are avoiding your concerns by allowing LDAP to be exposed
if that is the best way to access the data.
Karl
More information about the Freeipa-devel
mailing list