[28523] in Kerberos
Re: Using LDAP in place of .k5login
daemon@ATHENA.MIT.EDU (Jos Backus)
Tue Oct 2 23:03:32 2007
Date: Tue, 2 Oct 2007 20:03:32 -0700
From: Jos Backus <jos@catnook.com>
To: Simon Wilkinson <simon@sxw.org.uk>
Message-ID: <20071003030332.GA69296@lizzy.catnook.local>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <3274216174.1623552@relay.gradwell.net>
Cc: kerberos@mit.edu, deengert@anl.gov
Reply-To: jos@catnook.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Oct 03, 2007 at 12:29:00AM +0100, Simon Wilkinson wrote:
>
> >Does anyone have any mods to use LDAP to store the auth_to_local
> >database?
>
> Somewhere or another I've got patches allowing this to be deferred to a
> daemon that's contacted through a Unix socket (library provides principal
> and username, dameon says yes or no). I never really got past prototyping
> this as a proof of concept, and we've never got round to using it in
> production, but I can dig out the code if anyone is interested. In the case
> you're discussing it would allow the LDAP lookups to be performed
> 'out-of-process'.
This sounds interesting. In the solution I am envisioning, this daemon would
take the hostname, principal and username and return whether the mapping is
valid or not, i.e. whether that principal can log into that user@hostname.
This then would somehow end up back in the app through krb5_kuserok().
(Btw, it sounds like this could also be implemented using a centralized
authorization server.)
Am I understanding correctly?
Thanks,
--
Jos Backus
jos at catnook.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos