[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MS kerb drafts

To: assar@sics.se
Subject: Re: MS kerb drafts
From: Luke Howard <lukeh@PADL.COM>
Date: Fri, 5 Oct 2001 20:02:43 +1000
Cc: heimdal-discuss@sics.se, xad@PADL.COM
Organization: PADL Software Pty Ltd
References: <200110040738.RAA32271@au.padl.com> <5ly9mqtxwv.fsf@assaris.sics.se> <200110050818.SAA53617@au.padl.com> <5lofnma0e2.fsf@assaris.sics.se>
Reply-To: lukeh@PADL.COM
Sender: owner-heimdal-discuss@sics.se
Versions: dmail (bsd44) 2.2g/makemail 2.9a


>> On a related note, I want to add support for the backend returning
>> authorization data. I haven't looked into this much yet, but is
>> it naive to import and add AuthorizationData to hdb_entry so that
>> the backend can cook up a PAC?
>
>Wouldn't you want to generate the PAC data on the fly?  If it's just
>static data, doing what you suggests seems like a simple way.

Well, our backend is dynamic -- it does a query against the LDAP
server for each fetch. For Active Directory, it's a matter of
reading the tokenGroups attribute (or traversing the group
membership list) as well as the other attributes the PAC needs
(the user's SID, etc etc ).

The MS PAC is signed by the KDC, but we're not sure how yet (still
being decoded)... needing to do this may not play well with 
putting this API in the backend, true.

cheers,

-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

Follow-Ups:
- Re: MS kerb drafts
  - From: Assar Westerlund <assar@sics.se>

References:
- MS kerb drafts
  - From: Luke Howard <lukeh@PADL.COM>
- Re: MS kerb drafts
  - From: Assar Westerlund <assar@sics.se>
- Re: MS kerb drafts
  - From: Luke Howard <lukeh@PADL.COM>
- Re: MS kerb drafts
  - From: Assar Westerlund <assar@sics.se>

Prev by Date: Re: MS kerb drafts
Next by Date: Re: MS kerb drafts
Prev by thread: Re: MS kerb drafts
Next by thread: Re: MS kerb drafts
Index(es):
- Date
- Thread