Question about krb5_kuserok() and .k5login

g.w@hurderos.org g.w at hurderos.org
Thu Apr 14 09:43:50 EDT 2005 

On Apr 11,  5:07pm, "Matthew N. Andrews" wrote:
} Subject: Re: Question about krb5_kuserok() and .k5login

Good morning to everyone.

> > As long as we are headed in that direction would it make sense to the
> > Kerberos community for us to begin looking at the issues that would
> > need to be addressed with providing an alternate fulfillment hook for
> > krb5_kuserok?  Considering the discussions on the topic, extending
> > functionality for krb5_kuserok would seem to be an obvious candidate
> > for inclusion into the plug-in architecture.
> > 
> > Any comments or suggestions would be welcome.

> I for one would love to see a mechanism for retrieving authorization
> data from an ldap directory. some sort of plaintext mapping file
> support would also probably be nice(system, not user managed).

Hurderos already provides the basic infra-structure for doing LDAP
based authorization.  The identity based authorization model allows
administrators to differentiate authorization down to a machine/user
level.

The granularity of the authorization model also allows Quality of
Delivery specifications to be designated at that level.  For example
users can only log into this machine or access such a service from
0800-1700.

There is lots of work to be done on the overall administrative and
management levels but all the basic infra-structure is in place.  As
of the 0.1.3 release authorization can be done externally, i.e. PAM,
or directly through the authorization payload field of a service
ticket.

We have concluded that the krb5_kuserok function needs to be pluggable
in nature to support not only Hurderos but other types of
authorization such as your plaintext mapping file.  We haven't sorted
all the details or issues on doing that yet.

> -Matt Andrews

Thanks for the information and reference point.

Have a good day.

Greg

}-- End of excerpt from "Matthew N. Andrews"

As always,
Dr. Greg 'GW' Wettstein
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list