Release 0.1.3 from the Hurderos Project.
g.w@hurderos.org
g.w at hurderos.org
Wed Dec 22 06:25:56 EST 2004
Good morning to everyone and Seasons Greetings.
With special appreciation to the MIT Kerberos Community the Hurderos
Project is pleased to announce Version 0.1.3 of its Single-Identity
Services and Authorization management system.
This release implements an extensible plug-in architecture for the MIT
Kerberos distribution which allows feature and functionality
enhancements without the need for source level modifications to the
source distribution itself. Additional information is provided below
on this functionality.
Useful links are as follows:
Source: ftp://ftp.hurderos.org/pub/Hurderos/src
Binaries: ftp://ftp.hurderos.org/pub/Hurderos/binaries
WEB: http://www.hurderos.org
Significant changes between the 0.1.2 and 0.1.3 release are included
at the end of this note.
The objective of the Hurderos Project is to provide an OSS based
Open-Architecture system for managing user identities and services to
be delivered to those identities. One of the primary goals is to
provide a rich architecture and support API to make Linux an
attractive platform for Independent Software Vendors (ISV's).
Hurderos is based on a unique identity model known as IDfusion. This
model establishes a new paradigm for addressing the fundamental
question of what an electronic identity actually is and a method for
deriving service specific identities which characterize each users
presentation of a service. An important side-effect of this model is
that it establishes an inherent cryptographic guarantee for directory
services which makes the authorization information in the directory
robust in the face of directory compromisse.
>From the perspective of ISV's IDfusion provides an inherent identity
mapping functionality which allows the mapping of authentication
identities to application specific identities. This allows existing
applications to leverage the capabilities of Hurderos identity
management, authorization and service provisioning without major
modifications to applications other than the use of the KerDAP API
provided by Hurderos.
In contrast to proprietary solutions such as Active Directory the
Hurderos system provides an Open-Architecture management system which
is explicitly designed not to tie organizations to a particular server
or application architecture. This release focuses on this goal by
providing an Open-Architecture system for Kerberos based authorization
systems.
As noted above this release provides an initial implementation of an
extensible plug-in architecture for the MIT Kerberos source
distribution. The goal is to allow enhanced functionality such as
encapsulation of authorization information in the optional payload
section of Kerberos tickets without the need for source level
modifications to the distribution.
The 0.1.3 plug-in allows replacement or functionality enhancements in
the following areas:
1.) AS_REQ
2.) AS_REQ authorization payload generation
3.) TGS_REQ
4.) TGS_REQ authorization payload generation
5.) Password change/modifications
In addition to a plug-in implementing IDfusion based authorization
payloads the 0.1.3 distribution provides a sample plug-in for testing
purposes. This plug-in logs messages when fullfillment hooks are
called and provides a starting point for users who wish to write their
own enhancements.
Organizations who are implementing password synchronization systems
will find the Password hook provided to be particularly useful. By
intercepting password modifications at the database level the hook
provides an effective system for capturing password modifications
implemented through a variety of avenues including kadmind,
kadmin.local and kpasswd.
This release also provides a client/server application demonstrating
the implementation of ticket based authorization payloads using this
infra-structure.
The Hurderos Project would like to thank the MIT Kerberos team for all
their hard work in providing the reference implementation of Kerberos
to the user community. Their suggestions helped shape the design and
implementation of this extension architecture. Our hope is for
continued collaboration so that these enhancements can eventually make
it into the mainline distribution.
0.1.2 -> 0.1.3 Changes ----------------------------------------------------
* Implemented generic plug-in architecture for MIT Kerberos to
support functionality extensions through dynamic shared
libraries.
* Implemented Hurderos/Krb5 plug-in to provide directory based
control over ticket generation and to implement imbedding
of authorization identities into Ticket-Granting and Service
tickets.
* Implemented build of modified MIT Kerberos distribution inside
Hurderos source tree.
* Updated and validated to version 2.6.0 of Xerces XML parser.
* Added std namespace declarations to SPL to enable compilation
under gcc 3.x. Also cleaned up header definitions to
improve C++ compiles.
* Fixed login initialization so that the user for which the secured
conduit is established for is taken from the User field on the
Login panel.
* Converted KerDAP library to use function calls based on
an Identity type as the first arguement to the function.
* Removed krb5_kt_register call from hurdmksvc. Version 1.3.x API
has problems with pre-rexisting keytabs.
* Added patches to support Hurvice service authorization directives
for Apache2 mod_auth_pam.
* Implemented KerDAP_Identity_KRB5_Search and KerDAP_KRB5_Search to
locate users based on a Kerberos identity.
* Implemented KerDAP_KRB5_Enabled to test whether or not Kerberos
service is enabled for an identity.
* Implemented support for modifying characteristics of service
instance identities.
* Implemented support for changing the status of service instance
identities in GOOII.
* Updated auth-krb5.c to support lookups of KERBEROS service and
to check status of the KERBEROS service.
* Removed memory leaks from ldap.c. LDAP identity destructor now
unbinds from the server.
* Implemented hurdserver and hurdclient utilities for testing and
prototyping of Hurderos service authorization identities in
Kerberos tickets.
* Updates to KerDAP library to handle creation and marshalling of
Kerberos service authorization structures containing Hurderos
service identities.
* Updated build system to patch, compile and install Kerberos as a
pre-requisite.
* Implemented basic skeleton for a SHIBBOLETH service plug-in for
ISME. Updated Hurderos schema to support the service identity
object.
* Added sample Kerberos kdc.conf to illustrate syntax for
specifying realm specific plug-ins.
* Modified clean command for Kerberos internal header directory to
initialize header files to zero length.
* Removed commented out test values from demo_load.sql.
* Added documentation to the INSTALL file detailing how to
configure the modified Kerberos distribution. Included
instructions on how to modify the kdc.conf file to use the
null test plug-in.
---------------------------------------------------------------------------
Best holiday wishes to everyone.
As always,
GW
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
More information about the Kerberos
mailing list