[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authorization

G'day Brian,

>    Frank> Sure, lots. :) Most notably security-wise, most sites will
>    Frank> use an insecure back-end authorization service (eg: NIS).
>Good point. Previously, I never thought of this information as
>authorization, but guess you are right.  Anyone know how protocols
>like LDAP compare? Can LDAP be used with Kerberos?

Yes, it can. First, the LDAP protocol supports Kerberos authentication,
either natively (with LDAPv2, and Kerberos IV) or via SASL (with
LDAPv3, and Kerberos IV or the GSS-API, and thus Kerberos V). There
is existing code in most LDAP distributions to do Kerberos IV 
authentication, and we have a commercial implementation of the GSS-API
SASL mechanism for Netscape's Directory Server and client library.

We're also looking at adding SASL support to the OpenLDAP libraries
(using the Cyrus SASL library) but it's quite possible that someone
else will get to this first. :-)

Secondly, it's possible to share a common repository for both the
Directory and the KDC, as Microsoft have done in Active Directory.
Thus a principal's authentication and authorization information are
located within the same entity, which has advantages as far as
admimnistration and replication is concerned. Additionally, 
the MS KDC fills the authorization_data field of the ticket with
various data which it presumably gets from the directory. (Assar
has done some work on decoding this and I think Luke Leighton of
the SAMBA team is looking into this further.)

I'm toying with the idea of replacing the hdb library (if that's
the right level of abstraction) with one that talks to a local
LDAP server, using domain sockets or some IPC... 

-- Luke

Luke Howard
PADL Software Pty Ltd