RBAC and Kerberos?

bart notvalid at email.com
Thu Jun 3 09:15:58 EDT 2004

  Ok.  Got the message.  Sounds like Kerberos with LDAP is the way to go
until some better combo comes along.  I don't suppose anyone knows of a JAAS
spi out there that combines these two into one interface for Java JAAS
security clients?

Thanks everyone
"bart.w.jenkins" <bart.w.jenkins at saic.com> wrote in message
news:40bdb5f9$1 at cpns1.saic.com...
> All,
> I would love to use MIT's Kerberos, but it looks as though it can NOT do
> Role Based Access Control (RBAC) out of the box.  It seems that MIT's
> Kerberos stores only principals and knows nothing about any roles those
> principals might or might not have.  For any particular user, I would love
> to be able to attach a list of roles that person plays.  For example, for
> user Joe, I need to be able to say that principal Joe has roles: Admin,
> Superuser or Manager or Supervisor, or Team1Leader etc.  Then, when Joe
> authenticates to the KDC, if both the principal (what Java JAAS calls the
> subject) could also return a list of roles (JAAS principals), I could then
> do RBAC.  Microsoft had to add some separate user-to-role database that is
> consulted when user's authenticate in their Active Directory realm.  I
> like to not have to do this.  Does anyone know of a Kerberos
> that does RBAC and, BTW, works with Sun's JAAS (Java security)?
> I could just have user Kerberos principals and Role principals, but then
> when someone logged in with a Role user id, I would not know who the
> underlying user was.  It seems that adding some Role attributes to the
> principal would help alot here.
> Thanks
> Bart

More information about the Kerberos mailing list