[Deploying Sakai] Configuring CAS for auth, and Kerberos for WebDAV

Martin B. Smith smithmb at ufl.edu
Wed May 4 05:00:41 PDT 2011

On 05/03/2011 09:06 PM, Seth Theriault wrote:
> Martin B. Smith wrote:
>> >  One more consideration is that the Kerberos implementation
>> >  makes one attempt with a bad password to test for user
>> >  existence, so you'll need to patch it if that behavior would
>> >  lock out users in your KDC:).
> The Kerberos provider was really meant to be used for
> authentication only, as noted in the installation docs:
> https://source.sakaiproject.org/svn/providers/trunk/kerberos/docs/INSTALL.txt
> Again, using your KDC as a directory is not recommended. If
> you need to provide users "externally," I would highly
> recommended LDAP or the like for the user data.
> Columbia provisions its Sakai users with local "internal"
> accounts and uses a CAS-like WebISO and Kerberos for
> authentication. I'd be happy to talk to anyone offline about
> our approach.
> Seth

Hi Seth,

UF also only uses Kerberos for authentication. We still had to patch 
it... read on for details :)

Even using the Kerberos provider only for authentication (we used LDAP 
at first for user directory data), the authentication method still 
checks for a valid user using userExists() and userKnownToKerberos() 
(last I looked, anyway, that's from my notes). userExists() returns true 
even with a bad password (and it tries with String pw = "dummy";), and 
logs "userKnownToKerberos(user): Kerberos user known (bad pw)".

In our Kerberos setup, we require preauth and lockout users after 20 
failed attempts in 20 minutes. This means every time Sakai even asks the 
Kerberos provider if a user is known to it, it counts as an attempt.

Anyway, maybe there's a setting there that could be added that disables 
doing a kinit with a bad password just to lookup the user. It doesn't 
make sense for us, at least, even when just doing authentication-only 
with the KerberosUserDirectoryProvider.

Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5129 bytes
Desc: S/MIME Cryptographic Signature
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20110504/898ae1a3/attachment.bin 

More information about the production mailing list