[Kdc-info] policy-as-code
Leif Johansson
leifj at it.su.se
Thu May 15 02:59:28 EDT 2003
Ken Raeburn wrote:
>The "can't obtain tickets" restriction based on random parameters
>bothers me. If we don't want the user to be able to use the service,
>that's an authorization issue. Why are we preventing the user from
>
Well, it's authentication authorization but yes ... Note that in the
case where
the service is krbtgt (I only want my windows afs clients to get krb4
tgt's) the
authorization policy still belongs in the kdc.
>*authenticating* to it? Maybe there's some perceived "level" of
>authenticity that's based on the IP address or iteration count? Fine;
>express it in the tickets, and make an *authorization* decision based
>on that. But, that aside....
>arbitrary policies, is it?
>
>Or does this lead to the cpim mess you mentioned?
>
>
No This sounds more like you want to provide hooks to describe the
*existence*
of policy (stored elsewhere) in the directory. I believe it is a way to
get around
the mess. CPIM tries to model every type of policy as
objects/attributes. The
number of x-references this requires is what leads to a big mess. Your
suggestion
avoids that.
>Ken
>
>
More information about the kdc-info
mailing list