[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MS kerb drafts
Luke Howard <firstname.lastname@example.org> writes:
> I'm working a new backend that will use LDAP and the Active
> Directory schema. I think all the backend will need to do is
> handle the different name types (which, in the case of Active
> Directory, may be done by searching for the userPrincipalName
> attribute) and canonicalize the principal name if it is different
> to the enterprise name. The KDC will need to check whether the
> principal in the returned hdb_entry is different to the one it
> tried to fetch and, if so, return an error with the new principal.
Ok, that seems simple enough.
> On a related note, I want to add support for the backend returning
> authorization data. I haven't looked into this much yet, but is
> it naive to import and add AuthorizationData to hdb_entry so that
> the backend can cook up a PAC?
Wouldn't you want to generate the PAC data on the fly? If it's just
static data, doing what you suggests seems like a simple way.
> I haven't looked into how I would
> need to modify the KDC to return this to the client, it does look
> pretty hairy.
In what way? Figuring out where to hook in the code?