Help required in using kerberos in our project
Michael B Allen
ioplex at gmail.com
Thu May 15 11:28:00 EDT 2008
On Thu, May 15, 2008 at 2:11 AM, Anshuman Hazarika
<anshuman_hazarika at yahoo.co.uk> wrote:
> Hi ,
>
> We are developing a product called as Zeus. In this
> product we need our users to be authorised using
> kerberos.
>
> We would like to know how to proceed with the
> development of this module.
>
> We have the user information, like the user name and
> password, stored in ldap.
>
> What we understand as of now is that we need to
> download and install the mit kerberos server. After
> that do we have to develop a kerberos client which
> talks to the kerberos server? If so how do we go about
> it?Are there APIs Available?
Look into something called "GSSAPI". It is a general purpose API for
exchanging authentication tokens of different types (including
Kerberos) in an application specific way. There are GSSAPI libraries
for Java (JGSS) and for C (shipped with MIT and Heimdal
distributions). On Windows you have SSPI which is mostly compatible
with GSSAPI (SSPI tokens can be consumed by GSSAPI and GSSAPI tokens
can be consumed by SSPI).
> Can the utilities like kinit be used to develop the
> client which would take the username and password to
> be authorized using kerberos.
Kerberos clients usually already have a credential cache
infrastructure. Kinit is just one program that can populate your
credential cache with a Keberos ticket given a username and password.
Windows clients get a ticket and put it in a kernel based credential
cache when you login the first time (e.g. using Ctrl-Alt-Del).
Most Kerberos client and server programs use entirely GSSAPI to handle
authentication. The KDC (MIT, Heimdal, Active Directory, ...) should
already be setup and running in the target environment.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list