[29122] in Kerberos
Re: Kerberized authorization service
daemon@ATHENA.MIT.EDU (Edward Murrell)
Tue Jan 22 00:39:57 2008
From: Edward Murrell <edward@murrell.co.nz>
To: kerberos@mit.edu
In-Reply-To: <20080121223615.GA62042@lizzy.catnook.local>
Date: Tue, 22 Jan 2008 18:38:50 +1300
Message-Id: <1200980330.6033.3.camel@fusion>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.
However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to cobble something together
using /etc/security/access.conf, but it always felt... odd. Maybe look
into updating that?
Cheers,
Edward
On Mon, 2008-01-21 at 14:36 -0800, Jos Backus wrote:
>
> The server:
> - accepts some client-generated request (containing service,
> principal/username, hostname, etc.) over TCP;
> - sends this data to a backend application;
> - receives the response ('authorized' or 'not authorized') from the
> backend;
> - relays the response to the client.
>
> The client is called by pam_exec from the account group, so it has
> access to
> the username; the realm could be supplied on the command line. The
> client
> could try multiple authorization servers to ensure availability.
>
> The backend application could simply query a database which is
> maintained by
> another application (presumably with an easy to use web frontend).
>
> Thoughts? Would I be better off using GSSAPI instead?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
