Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.

[Olaf Flebbe]

Hi,

> There is also a Windows SSP that allowed you to do what you want, and
> a couple of things you maybe are only thinking on, as create
> authorized accounts on the fly. I'm not aware of improvements (again
> since two years), but I did the work more or less nicely (needed to
> patch to not remove local accounts if something fails). It is at
> http://sc-ap.sourceforge.net/

I did the sc-ap thingy. It is "only" a wrapper around the kerberos SSP, 
creating accounts on the fly before kerberos is doing its work.

I would be happy to proceed, if anyone has an idea to improve sc-ap. 
Please send me patches, I would be happy to include.

There is one thing I did not publish until now: I have a patch to 
extract most of the cleartext password (at least with XP) with sc-ap, 
since Microsoft only did an easy "encrypting".

On the positive side: The knowledge of the algorithm to reconstruct 
cleartext password would be a huge step in the direction to write MS 
independant SSP's.

 > I cannot tell you if any of these allow any kind of roaming profile,
 > in case you need it.

If I remember correctly Roaming profiles are quite difficult, since the 
corresponding client technology is quite undocumented, AFAIK. If someone 
has a pointer ...

Greetings,
Olaf Flebbe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o_flebbe.vcf
Type: text/x-vcard
Size: 389 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090624/115d0c10/attachment.vcf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2329 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090624/115d0c10/attachment.bin