Re: kerberos and ldap: Standards?

[Simon Josefsson]

Elrond <address@hidden> writes:

> [...]
>> > Currently I'm interested in an attribute, that stores the
>> > kerberos' principal name, that relates to a DN/account.
>> >
>> > In hdb.schema this is krb5PrincipalName.
>> 
>> I think you could write a new shisa module that would get the
>> information the KDC requests from shisa from the LDAP server.  Copy
>> file.c and file.h into ldap.c and ldap.h and start modifying it...  It
>> probably require some work, but maybe I can assist you.
>
> Well, I don't want to write a full backend for shisa.
>
> I only want to put mappings into ldap.
>
> Think of mapping unix accounts (which are flat, no realm)
> to principals (which have a realm).
>
> Say I want to unix user jas to address@hidden and unix
> user elrond to address@hidden
>
> uid: jas
> unknown: address@hidden
>
> uid: elrond
> unknown: address@hidden
>
> So what to use for "unknown"?
> My current best guess is "krb5PrincipalName".

Where does the unix username come from?

Do you want the shishi client to convert the unix username 'jas' into
address@hidden when it tries to get a ticket for a user?  Shisa can't
help you here, it is only used on the server.  While the server could
translate a request for jas with any realm into address@hidden, it
seems like a weird solution.

The default username in the client is computed by
shishi_principal_default_guess () in principal.c.  As you can see in
shishi_principal_default(), you can override this by setting the
environment variable SHISHI_USER.

I'm not sure I understand what you want.  Perhaps you need a more
intelligent guessing function on the client, possibly one that even
consult a LDAP server?  That could be added.  However, there is a
problem in authenticating and securing the LDAP connection, someone
could mitm it and redirect your requests.

Just rambling now...

/Simon