UI for Kerberos accounts administration
Sam Hartman
hartmans at MIT.EDU
Fri Aug 20 12:25:36 EDT 2004
>>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:
Lukas> I'm planning to build an web interface for administering
Lukas> our Kerberos/OpenAFS/LDAP accounts. How should I pass
Lukas> credentials to the web service? I can use the mod_auth_kerb
Lukas> module for Apache. Then some wrapper script will call
Lukas> kadmin command. When I want kadmin not to ask for password
Lukas> everytime it is called, I'll have to create an
Lukas> administrator's keytab stored on the webserver. That way
Lukas> appear not to be secure.
Why is this not secure? It places your web service in the role as a
privilege delegation service rather than as acting as the user
directly.
You actually tend to want this though. At many sites it is reasonable
for a larger set of users to go through all the steps of creating a
properly configured account all at once than it is to allow a user to
only go through one of the steps of account setup. If only the web
server is authorized to act, it can enforce constraints like this.
--Sam
More information about the Kerberos
mailing list