Re: Authorization

[Luke Howard <lukeh@PADL.COM>]

Hi Leif,

>Yea, I have cyrus-sasl in my ldap server (due to be released rsn, so
>you may still beat me to it :-) I have also thought about the 

Hmm, are you working on OpenLDAP? If so, we should probably co-
ordinate efforts (or at least I should stop working on it, I only
started tonight :-)). 

>ldap-backend-to-hdb idea (a backend I believe is the right abstraction)
>and would be interested in working on that. I guess one might start 
>by figuring out what the schema looks like.

Sure. I think the tricky thing will be to make the mapping between
Kerberos and LDAP administrative domains flexible without making it
unnecessarily complicated. For example, W2K makes a few assumptions
about the mapping between realms and naming contexts which aren't
particularly flexible. I think some of these issues will have to
be resolved as part of adding SASL support, anyway. (So perhaps
you have already thought of them :^)). 

Also, I have patches for OpenLDAP to support a domain socket transport
which should be more reliable for local (eg. KDC -> LDAP server
connections), as well as providing some semblance of a trusted
administrative domain... 

FYI, MS are releasing the client-side part of our GSS-SASL code
as part of their AD/UNIX interop sample code.


cheers,


-- Luke

--
Luke Howard
PADL Software Pty Ltd
http://www.padl.com/