[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kerberos and ldap: Standards?
From: |
Simon Josefsson |
Subject: |
Re: kerberos and ldap: Standards? |
Date: |
Fri, 21 Apr 2006 15:39:26 +0200 |
User-agent: |
Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux) |
Elrond <address@hidden> writes:
> [...]
>> > Currently I'm interested in an attribute, that stores the
>> > kerberos' principal name, that relates to a DN/account.
>> >
>> > In hdb.schema this is krb5PrincipalName.
>>
>> I think you could write a new shisa module that would get the
>> information the KDC requests from shisa from the LDAP server. Copy
>> file.c and file.h into ldap.c and ldap.h and start modifying it... It
>> probably require some work, but maybe I can assist you.
>
> Well, I don't want to write a full backend for shisa.
>
> I only want to put mappings into ldap.
>
> Think of mapping unix accounts (which are flat, no realm)
> to principals (which have a realm).
>
> Say I want to unix user jas to address@hidden and unix
> user elrond to address@hidden
>
> uid: jas
> unknown: address@hidden
>
> uid: elrond
> unknown: address@hidden
>
> So what to use for "unknown"?
> My current best guess is "krb5PrincipalName".
Where does the unix username come from?
Do you want the shishi client to convert the unix username 'jas' into
address@hidden when it tries to get a ticket for a user? Shisa can't
help you here, it is only used on the server. While the server could
translate a request for jas with any realm into address@hidden, it
seems like a weird solution.
The default username in the client is computed by
shishi_principal_default_guess () in principal.c. As you can see in
shishi_principal_default(), you can override this by setting the
environment variable SHISHI_USER.
I'm not sure I understand what you want. Perhaps you need a more
intelligent guessing function on the client, possibly one that even
consult a LDAP server? That could be added. However, there is a
problem in authenticating and securing the LDAP connection, someone
could mitm it and redirect your requests.
Just rambling now...
/Simon