-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/17/10 05:27 , Neil Davies wrote:
Why not use kerberos?
We find it works for us, integrates with web (natively or via WebAuth), remote command execution (remctl) and ssh - widely used, scales brilliantly.
1. Kerberos is only authentication. Authorization you get to deal with yourself, and you won't be able to use many off the shelf solutions in that space. 2. You require people to have Kerberos clients, and possibly kx509 for web auth. Or else you're just using it as a password store for programs to check against, in which case you've pretty much made it pointless. Mind, we use Kerberos heavily around here... but we have the infrastructure that uses it. Web application space is *not* something that integrates well, though, unless you use it as a dumb store and manage the resulting authentication information yourself (Pubcookie, etc.). For a primarily web based community, it's not an appropriate choice. - -- brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyT4QgACgkQIn7hlCsL25WLawCdEn2nbfAMTBxTu5aXGkVtVSga IfMAn2UiQ1f9G2wsiAL3PhmDPr5tzlFb =NWAB -----END PGP SIGNATURE-----