[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kerberos and ldap: Standards?
From: |
Elrond |
Subject: |
Re: kerberos and ldap: Standards? |
Date: |
Fri, 21 Apr 2006 13:04:35 +0200 |
User-agent: |
Mutt/1.5.9i |
On Tue, Apr 18, 2006 at 10:35:15AM +0200, Simon Josefsson wrote:
> Hi Elrond! Sorry for the slow response.
>
> Elrond <address@hidden> writes:
>
> > Maybe a bit off-topic, but:
> >
> > I know about hdb.schema from heimdal.
> >
> > Are there any other notable standards about storing
> > kerberos related information in ldap?
>
> Have you seen:
>
> http://josefsson.org/cgi-bin/viewcvs.cgi/shishi/doc/specifications/draft-johansson-kerberos-model-02.txt?rev=1.1&view=auto
Ahh, looks interesting.
[...]
> > Currently I'm interested in an attribute, that stores the
> > kerberos' principal name, that relates to a DN/account.
> >
> > In hdb.schema this is krb5PrincipalName.
>
> I think you could write a new shisa module that would get the
> information the KDC requests from shisa from the LDAP server. Copy
> file.c and file.h into ldap.c and ldap.h and start modifying it... It
> probably require some work, but maybe I can assist you.
Well, I don't want to write a full backend for shisa.
I only want to put mappings into ldap.
Think of mapping unix accounts (which are flat, no realm)
to principals (which have a realm).
Say I want to unix user jas to address@hidden and unix
user elrond to address@hidden
uid: jas
unknown: address@hidden
uid: elrond
unknown: address@hidden
So what to use for "unknown"?
My current best guess is "krb5PrincipalName".
Elrond