RBAC and Kerberos?
cneberg at sandia.gov
Wed Jun 2 19:05:36 EDT 2004
>>>Kerberos fits in best as an AuthN system. It can very easily tie into
LDAP which can support your AuthZ needs.
This is true within a single enterprise. LDAP support for authorization
becomes more difficult once you are talking about federation between
different organizations. It requires you to expose your directory server
outside your internal firewall and for partner site(s) to have intimate
knowledge of your directory schema. In the web authentication world SAML
was developed to ease some of these some of these burdens by defining a
language to share attributes more easily. Does anyone know if there is
research to use SAML and Kerberos together (SAML as the PAC data)?
From: Digant Kasundra [mailto:digant at uta.edu]
Sent: Wednesday, June 02, 2004 4:25 PM
To: bart.w.jenkins; kerberos at mit.edu
Subject: RE: RBAC and Kerberos?
In a core enterprise IT, you have 2 "systems": AuthN (authentication) and
AuthZ (authorization). Kerberos fits in best as an AuthN system. It can
very easily tie into LDAP which can support your AuthZ needs.
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On Behalf Of bart.w.jenkins
> Sent: Wednesday, June 02, 2004 1:12 PM
> To: kerberos at MIT.EDU
> Subject: RBAC and Kerberos?
> I would love to use MIT's Kerberos, but it looks as though it
> can NOT do Role Based Access Control (RBAC) out of the box.
> It seems that MIT's Kerberos stores only principals and knows
> nothing about any roles those principals might or might not
> have. For any particular user, I would love to be able to
> attach a list of roles that person plays. For example, for
> user Joe, I need to be able to say that principal Joe has
> roles: Admin, Superuser or Manager or Supervisor, or
> Team1Leader etc. Then, when Joe authenticates to the KDC, if
> both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals),
> I could then do RBAC. Microsoft had to add some separate
> user-to-role database that is consulted when user's
> authenticate in their Active Directory realm. I would like
> to not have to do this. Does anyone know of a Kerberos
> implementation that does RBAC and, BTW, works with Sun's JAAS
> (Java security)?
> I could just have user Kerberos principals and Role
> principals, but then when someone logged in with a Role user
> id, I would not know who the underlying user was. It seems
> that adding some Role attributes to the kerb principal would
> help alot here.
> Kerberos mailing list Kerberos at mit.edu
Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos