[Deploying Sakai] Configuring CAS for auth, and Kerberos for WebDAV
Martin B. Smith
smithmb at ufl.edu
Wed May 4 05:00:41 PDT 2011
On 05/03/2011 09:06 PM, Seth Theriault wrote:
> Martin B. Smith wrote:
>
>> > One more consideration is that the Kerberos implementation
>> > makes one attempt with a bad password to test for user
>> > existence, so you'll need to patch it if that behavior would
>> > lock out users in your KDC:).
> The Kerberos provider was really meant to be used for
> authentication only, as noted in the installation docs:
>
> https://source.sakaiproject.org/svn/providers/trunk/kerberos/docs/INSTALL.txt
>
> Again, using your KDC as a directory is not recommended. If
> you need to provide users "externally," I would highly
> recommended LDAP or the like for the user data.
>
> Columbia provisions its Sakai users with local "internal"
> accounts and uses a CAS-like WebISO and Kerberos for
> authentication. I'd be happy to talk to anyone offline about
> our approach.
>
> Seth
>
Hi Seth,
UF also only uses Kerberos for authentication. We still had to patch
it... read on for details :)
Even using the Kerberos provider only for authentication (we used LDAP
at first for user directory data), the authentication method still
checks for a valid user using userExists() and userKnownToKerberos()
(last I looked, anyway, that's from my notes). userExists() returns true
even with a bad password (and it tries with String pw = "dummy";), and
logs "userKnownToKerberos(user): Kerberos user known (bad pw)".
In our Kerberos setup, we require preauth and lockout users after 20
failed attempts in 20 minutes. This means every time Sakai even asks the
Kerberos provider if a user is known to it, it counts as an attempt.
Anyway, maybe there's a setting there that could be added that disables
doing a kinit with a bad password just to lookup the user. It doesn't
make sense for us, at least, even when just doing authentication-only
with the KerberosUserDirectoryProvider.
Cheers,
--
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5129 bytes
Desc: S/MIME Cryptographic Signature
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20110504/898ae1a3/attachment.bin
More information about the production
mailing list