After much ado, I finally got LDAP using GSSAPI/SASL to lookup authentication information from my Heimdal Kerberos database. To test, I got ProFTPd working off LDAP (although hopefully mod_gssapi will be added to debian some day). Regardless, it works, and soon I will begin adding Samba, PAM, email, and a variety of web service stuff revolving around the merry union of kerberos & ldap.
Personally I tend to deploy pam_ldap instead of direct LDAP Auth. I think this makes life easier. I heard that the particular linux implementation had (has??) memory leaks and other oddities, but until now I am statisfied. Did any have other experiences with that?
I replaced Proftpd with Pure-ftpd-ldap package which comes be debian-default with LDAP and PAM support. I don't know if it comes with gssapi.
Coming back to you security issue:
_ you could have two different LDAP "o=" for you FTP Problem
_ even two different hosts with ldap DBs
(ok you have to sync the PWs, but this could be a replica of the "internal users ldap", so keep the internal LDAP Host im DMZ.
_ if a user has 1000 PWs for 1000 services I usually only need his shell account to spy the rest out -> no real protection, isn't it?
And yes, such centralised Systems are used. They are specified in RFC. One other system available is called "Active Directory" ;)
Just some thoughts on a late holiday night :-)
Best Regards, Andreas
P.S. Wrote some lines about your "LDAP using GSSAPI/SASL to Auth"? I would be interested in it.
-- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331
http://www.net-lab.net
