You may be interested in this recent message on the subject from George
Cook:
Begin forwarded message:
From: George Cook <email@hidden>
Date: March 8, 2005 12:04:24 PM CST
To: Jim Avery <email@hidden>
Cc: email@hidden
Subject: Re: Kerberos with Darwin
Jim:
QTSS and Darwin Streaming Server supports simple authentication
similar to Apache. It's simple and uses MD5 basic encryption for
passwords on the wire. On the server, passwords are stored in a text
file using crypt (file is owned by and read-able by the "qtss" user
that the streaming server runs under - it is not accessible by other
users on Mac OS X and other *nix systems).
Using the Open Source as a starting point, NYU has created a
Shibbolized module for QTSS and Darwin Streaming Server. Shibboleth is
an Internet 2 technology that provides cross-realm authentication and
can work with Kerberos (Penn State uses it that way). With the NYU
module, a web/Shib authenticated client can access movies from the
server once authenticated.
Another Mac OS X specific project was done by Dan Sinema, one of our
Apple Systems Engineers in education. Mac OS X Server ships with Open
Directory which provides LDAP services and integrates with Kerberos
authentication. Dan's custom authentication module provides a bridge
between QTSS authentication and Open Directory. Since the QuickTime
client software isn't Kerberized, this approach provides a proxy
authentication method.
Of the above, I think the NYU approach is more secure. However it is
more complex to set up as it requires an Apache/Shibboleth environment
to begin with.
-George
On Mar 19, 2005, at 8:24 AM, Erik wrote:
Hello,
At our institute we consider using a Darwin Streaming Server for
streaming
educational videos. Therefore we would like to restrict access to the
streams. Only our students or staff should be able to view
videomaterial
with sensitive content.
I am aware that this can be achieved by adding users to the userlist
at the
DSS with the qtpasswd mechanism and then put a qtaccess textfile in the
directory containing the videofiles. We are then able to say "require
valid
user" or specify individuals with access to the streams.
But at a university with 15K+ students and 2K+ employees it might make
a
full persons job to fill and maintain the users database. Besides,
this is
already done in the LDAP Directory Service of our institute. The
question is
obvious: is it possible to connect the authentication mechanism of the
DSS
to (open) LDAP?
Erik.
--
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Streaming-server-users mailing list
(email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/streaming-server-users/
email@hidden
