[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MS kerb drafts

Luke Howard <lukeh@padl.com> writes:
> doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-00.txt


> I'm working a new backend that will use LDAP and the Active
> Directory schema. I think all the backend will need to do is
> handle the different name types (which, in the case of Active
> Directory, may be done by searching for the userPrincipalName
> attribute) and canonicalize the principal name if it is different
> to the enterprise name. The KDC will need to check whether the
> principal in the returned hdb_entry is different to the one it
> tried to fetch and, if so, return an error with the new principal.

Ok, that seems simple enough.

> On a related note, I want to add support for the backend returning
> authorization data. I haven't looked into this much yet, but is
> it naive to import and add AuthorizationData to hdb_entry so that
> the backend can cook up a PAC?

Wouldn't you want to generate the PAC data on the fly?  If it's just
static data, doing what you suggests seems like a simple way.

> I haven't looked into how I would
> need to modify the KDC to return this to the client, it does look
> pretty hairy.

In what way?  Figuring out where to hook in the code?