[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MS kerb drafts

>> On a related note, I want to add support for the backend returning
>> authorization data. I haven't looked into this much yet, but is
>> it naive to import and add AuthorizationData to hdb_entry so that
>> the backend can cook up a PAC?
>Wouldn't you want to generate the PAC data on the fly?  If it's just
>static data, doing what you suggests seems like a simple way.

Well, our backend is dynamic -- it does a query against the LDAP
server for each fetch. For Active Directory, it's a matter of
reading the tokenGroups attribute (or traversing the group
membership list) as well as the other attributes the PAC needs
(the user's SID, etc etc ).

The MS PAC is signed by the KDC, but we're not sure how yet (still
being decoded)... needing to do this may not play well with 
putting this API in the backend, true.


-- Luke
Luke Howard | lukehoward.com
PADL Software | www.padl.com