9:23 p.m.
Hi,
I've read the white paper "Red Hat Identity Management
and Security Solutions", and on page 13, it said that
Red Hat Directory Server supports a variety of
authentication standards and technologies, including:
- ...
- Kerberos tickets via SASL/GSSAPI
- ...
What does that exactly mean? Does that mean RHDS can
issue kerberos ticket out of the box? Or does that
mean I need to setup a kerberos server and use RHDS as
the backend for user information?
And this one:
- Impersonation (proxy) for multi-tier client
applications.
Could someone explain what does it mean and how can it
be used?
Thanks a lot
sz
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
10:22 p.m.
speedy zinc wrote:
Hi,
I've read the white paper "Red Hat Identity Management
and Security Solutions", and on page 13, it said that
Red Hat Directory Server supports a variety of
authentication standards and technologies, including:
- ...
- Kerberos tickets via SASL/GSSAPI
- ...
What does that exactly mean? Does that mean RHDS can
issue kerberos ticket out of the box?
No.
Or does that
mean I need to setup a kerberos server and use RHDS as
the backend for user information?
Yes. When you use kinit to acquire your ticket, you can use that ticket
to authenticate to the directory server.
And this one:
- Impersonation (proxy) for multi-tier client
applications.
Could someone explain what does it mean and how can it
be used?
Sure. This is most often used with web apps or other apps that set up a
pool of connections to the directory server. Each connection in the
pool is bound as a proxy user. When a real user wants to authenticate,
the proxy connection passes the real user's bind credentials to the
directory server using the proxy auth control.
Thanks a lot
sz
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
10:40 p.m.
Thanks for replying.
--- Rich Megginson <rmeggins(a)redhat.com> wrote:
>Or does that
>mean I need to setup a kerberos server and use RHDS
as
>the backend for user information?
>
>
Yes. When you use kinit to acquire your ticket, you
can use that ticket
to authenticate to the directory server.
So, if I understand what you're saying, the directory
server is acting as the TGS?
I'm going to setup a kerberos tonight. Which one works
better with FDS? MIT or Heimdal?
>And this one:
>- Impersonation (proxy) for multi-tier client
>applications.
>
>Could someone explain what does it mean and how can
it
>be used?
>
>
Sure. This is most often used with web apps or
other apps that set up a
pool of connections to the directory server. Each
connection in the
pool is bound as a proxy user. When a real user
wants to authenticate,
the proxy connection passes the real user's bind
credentials to the
directory server using the proxy auth control.
Oh, ok. I was thinking about something else :)
sz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
10:45 p.m.
speedy zinc wrote:
Thanks for replying.
--- Rich Megginson <rmeggins(a)redhat.com> wrote:
>>Or does that
>>mean I need to setup a kerberos server and use RHDS
>>
>>
>as
>
>
>>the backend for user information?
>>
>>
>>
>>
>Yes. When you use kinit to acquire your ticket, you
>can use that ticket
>to authenticate to the directory server.
>
>
>
So, if I understand what you're saying, the directory
server is acting as the TGS?
No. You have to set up the usual Kerberos TGS. The directory server
merely uses the tickets, like any other server/service.
I'm going to setup a kerberos tonight. Which one works
better with FDS? MIT or Heimdal?
I'm not sure. The instructions we have in our docs are geared towards
MIT, but Heimdal may work just fine.
>>And this one:
>>- Impersonation (proxy) for multi-tier client
>>applications.
>>
>>Could someone explain what does it mean and how can
>>
>>
>it
>
>
>>be used?
>>
>>
>>
>>
>Sure. This is most often used with web apps or
>other apps that set up a
>pool of connections to the directory server. Each
>connection in the
>pool is bound as a proxy user. When a real user
>wants to authenticate,
>the proxy connection passes the real user's bind
>credentials to the
>directory server using the proxy auth control.
>
>
>
Oh, ok. I was thinking about something else :)
It can also mean chaining. You can set up the directory server to use
another directory server as a database - what we refer to as a chaining
backend or database in our docs. The use of a directory server to act
as a "front-end" to another directory server is also called a proxy.
sz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
10:52 p.m.
--- Rich Megginson <rmeggins(a)redhat.com> wrote:
No. You have to set up the usual Kerberos TGS. The
directory server
merely uses the tickets, like any other
server/service.
Got it.
>Oh, ok. I was thinking about something else :)
>
>
It can also mean chaining. You can set up the
directory server to use
another directory server as a database - what we
refer to as a chaining
backend or database in our docs. The use of a
directory server to act
as a "front-end" to another directory server is also
called a proxy.
Hmm... so what's the purpose of chaining directory
server? Wouldn't use a read-only replica better
in this case?
thanks
sz
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
12:17 a.m.
>Hmm... so what's the purpose of chaining directory
>server? Wouldn't use a read-only replica better
>in this case?
>
>
>
Chaining is complementary to replication : chaining allows you to
leave the data where it is and take the query to the data,
which might be more efficient than moving the data.
It's also possible (by possible, I mean you might need to write code)
to play various proxy tricks when chaining :
multiplex operations onto a cluster of storage servers; re-write
the operations as they pass through; aggregate results from
multiple source servers; and so on.
Mind you, proxying and chaining are not commonly used in my experience,
compared to replication.
6758
days inactive
6758
days old
389-users@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
David Boreham -
Rich Megginson -
speedy zinc