Coda File System

Re: Coda authentification & LDAP

From: <u+codalist-p4pg_at_chalmers.se>
Date: Wed, 7 Mar 2007 22:21:13 +0100
Hi Stephane,

On Wed, Mar 07, 2007 at 07:19:41PM +0100, S. Cance wrote:
> That's why I am working on a LDAP based clog utility.

I guess it is the confusion between name services,
authentication and authorization, coming from the old Unix model,
the venerable passwd...

LDAP implements only the first part of those three
and of course one can imitate "passwd" on top of a directory service,
but it does not make the solution any more general.

I suggest that you do not invest your effort and time
into implementing a Coda-LDAP connection.

Think about Coda security model:

- mapping between names and numerical ids:
in contrast to Unix systems, it is of no interest at all,
the numerical ids are internal to Coda and they are exposed for
historical reasons only (in the old times Coda did not possess globality)

- authentication is based on shared secrets and as such incompatible
with passwd-like methods and hence LDAP

- authorization is ACL-based and done by Coda servers,
there is no need for LDAP there (see though a remark at the end below)

> I'am trying to do things right, so that it can be used by others. I 

Sorry to tell you, it can not be done "right", if I guess your intentions
correctly.

> do you think it is usefull to create a whole new way to authenticate 
> users, or should I create a tool to synchronize coda user database with 
> the ldap ?

You might want to propagate changes in your user db to Coda in order to:

1. create corresponding entries in the Coda user db:
easy, pdbtool is your friend

2. synchronize passwords in LDAP and Coda - then you are out of luck,
unless you move your password database to Kerberos, that protocol allows
to verify passwords both for plain login purposes and for producing Coda
tokens (note the difference, Kerberos is a set of authentication protocols,
while LDAP is a name service protocol)

3. Synchronize groups - possible with creative use of pdbtool, but Unix groups
are primitive compared to Coda ones, so you would end up with a limited
authorization infrastructure - may be ok.

What you possibly intend to do is to synchronize the numerical ids,
I would rather not. It makes ls -l output "comprehensible" on your clients
but it still remains about as misleading as otherwise.

Looking from a different perspective, one could let Coda servers use name
services from en external provider, possibly via LDAP. Even if done, it would
not in any way reduce the fundamental incompatibility between authentication
concepts used in passwd/NIS/LDAP systems and in Coda.

Best regards,
Rune
Received on 2007-03-07 16:21:17