Coda File System

Re: Coda authentification & LDAP

From: Greg Troxel <gdt_at_ir.bbn.com>
Date: Wed, 07 Mar 2007 14:09:02 -0500
"S. Cance" <stephane.cance_at_enst-bretagne.fr> writes:

> I'm working on a network where every services use LDAP to
> authenticate users.  That's why I am working on a LDAP based clog
> utility.
>
> I'am trying to do things right, so that it can be used by others. I
> don't know if this is of any kind of interest to the Coda users.
> Using LDAP is prety easy since we just have to bind to the LDAP
> server using a given username & password to check if we are
> authorised.

That may not be enough for coda; that only addresses part of what
tokens do.

> Still, the source code is quite complicated and I could use a hand
> on some of my questions :
>    - are ACLs checker(s) only based on tokens, or do they make
> references to the user database ?
> what I mean here is : do I have to create a new user in pdbtool for
> each of the users in the LDAP database ?
> If I do, is it possible to check if a user exists in the server
> database without using any password ?

I'm not sure.  I think it's mostly about tokens.

>    - I see in U_BindToServer (line 325 of
> coda/coda-src/auth2/auser.c) a loop on each of the auth
> servers. while using LDAP there is only one LDAP server, do the
> tokens have to be registered to each servers or is it that the
> tokens are stored on the client and sent to the servers at each
> requests if needed ?

Tokens are sent by clients; it's like kerberos.

>    - I am not sure where the token is generated, I don't really get
> the whole token system in fact, if it is generated by the client
> wouldn't that be a security issue ? So if it generated by the server,
> LDAP auth doesn't seems that easy :(

I suggest looking at the Kerberos 5 code.  Clients use kerberos to
authenticate to the auth server and receive a token which is then used
the same way.

> do you think it is usefull to create a whole new way to authenticate
> users, or should I create a tool to synchronize coda user database
> with the ldap ?

If you are using LDAP for everything, then it's probably best to have
coda use it.

The problem is that LDAP isn't really an authentication service, but a
directory service, and sending user/password around for servers to
verify is a bit scary.  But that's separate from how coda should be
integrated.

I think the real difficulty will be that the token
creation/distribution process is really authenticated key exchange,
where a user ends up with a crypto token that only he has, and the
server is sure that it's the right user.
If LDAP is only giving you the ability to check a username/pw, then I
don't see any mechanisms for confidentiality protection for the keys
in the tokens.
Received on 2007-03-07 14:11:19