[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Kerberos Feature Request



I want to enable that.

I'm suggesting that it would be nice if there were a MIT-independent 
and KTH-independent (and CyberSafe-independent ;-) mechanism that 
allowed you to do that.  Given a KDC-neutral enabling mechanism I 
expect that an open-source project or 10 would spontaneously form to 
bridge the gap between the conformant KDCs and the LDAP server of 
your choice (including true blue AD).

I'd be happy if the agreement/standard/whatever just said that you do 
an ldap query for the "pac" attribute from the unique ID that matches 
the principal, with the obvious REALM to DC= translation.

Jeffrey Altman objects that I want an API, not an RFC, so IETF 
shouldn't be involved, but I think the example I just gave would be 
an RFC.  I'm trying to limit my care-about's though.  I just want a 
general way to make use of the feature, which is currently pretty 
inaccessible.

At 11:41 PM +0000 2/10/04, Tim Alsop wrote:
>Henry,
>
>Are you proposing that the non-Microsoft KDC issues tickets 
>containing PAC data and gets the group membership information from 
>the Active Directory using LDAP ?
>
>Thanks, Tim.
>
>-----Original Message-----
>From: Henry B. Hotz [<mailto:hotz@jpl.nasa.gov>mailto:hotz@jpl.nasa.gov]
>Sent: 10 February 2004 18:27
>To: krbdev@mit.edu; Tim Alsop; heimdal-discuss@sics.se; 
>darwin-development@lists.apple.com
>Cc: Dj Byrne
>Subject: Kerberos Feature Request
>
>I probably should send this to the IETF group, but I'm not on their 
>mailing lists.  (Apologies if the cross-posting causes problems.) 
>It would be *nice* if all Kerberos distributions added this feature 
>the same way.
>
>One of the famous things that Microsoft did in their AD Kerberos 
>implementation is added authorization data to the (supposedly
>
>optional) PAC field that is necessary when using certain other 
>Microsoft functionality.  AFAIK all of the information added is also 
>contained in the LDAP directory that AD also provides.
>
>I do not think it makes any sense for a (non-Microsoft) Kerberos 
>server to directly maintain this data.  Rather it should have a 
>mechanism for acquiring the data from an external source, such as an 
>LDAP directory.
>
>My request is that the Kerberos community agree on a standard 
>external interface to get that data.  If the interface itself were 
>standardized then the work of connecting that interface to the 
>appropriate AD attributes could be done independently of any 
>Kerberos server, and could be updated as Microsoft updates their 
>schema independent of Kerberos versions.  It would also make the use 
>of PAC data in non-Microsoft environments much easier to consider.
>
>--
>The opinions expressed in this message are mine, not those of 
>Caltech, JPL, NASA, or the US Government.
>Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu