[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kerberos and ldap: Standards?

From: Simon Josefsson
Subject: Re: kerberos and ldap: Standards?
Date: Fri, 21 Apr 2006 15:39:26 +0200
User-agent: Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> [...]
>> > Currently I'm interested in an attribute, that stores the
>> > kerberos' principal name, that relates to a DN/account.
>> >
>> > In hdb.schema this is krb5PrincipalName.
>> I think you could write a new shisa module that would get the
>> information the KDC requests from shisa from the LDAP server.  Copy
>> file.c and file.h into ldap.c and ldap.h and start modifying it...  It
>> probably require some work, but maybe I can assist you.
> Well, I don't want to write a full backend for shisa.
> I only want to put mappings into ldap.
> Think of mapping unix accounts (which are flat, no realm)
> to principals (which have a realm).
> Say I want to unix user jas to address@hidden and unix
> user elrond to address@hidden
> uid: jas
> unknown: address@hidden
> uid: elrond
> unknown: address@hidden
> So what to use for "unknown"?
> My current best guess is "krb5PrincipalName".

Where does the unix username come from?

Do you want the shishi client to convert the unix username 'jas' into
address@hidden when it tries to get a ticket for a user?  Shisa can't
help you here, it is only used on the server.  While the server could
translate a request for jas with any realm into address@hidden, it
seems like a weird solution.

The default username in the client is computed by
shishi_principal_default_guess () in principal.c.  As you can see in
shishi_principal_default(), you can override this by setting the
environment variable SHISHI_USER.

I'm not sure I understand what you want.  Perhaps you need a more
intelligent guessing function on the client, possibly one that even
consult a LDAP server?  That could be added.  However, there is a
problem in authenticating and securing the LDAP connection, someone
could mitm it and redirect your requests.

Just rambling now...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]