Kerberos and LDAP for Authorization

Guillaume Rousse Guillaume.Rousse at inria.fr
Thu Aug 19 05:03:44 EDT 2010


Le 19/08/2010 01:04, Bram Cymet a écrit :
> Hi,
> 
> I am working on using Kerberos and LDAP together. Replacing the kdb with
> LDAP seems simple enough.
I guess you're speaking of KDC, and I don't know why you would like to
replace the KDC by the LDAP server.

> What I am wondering is: is it possible to send
> back Authorization details from LDAP with the Kerberos ticket or do
> Applications have to talk directly to LDAP to get the users
> Authorization details?
Kerberos is an authentication protocol only, excepted in Microsoft
world. It can only tells you "this is an authenticated user". If you
want to apply user-based, or group-based, authorizations to an
application, you have to use a suitable backend, such as an LDAP server.
And they are really few applications able to authenticate in one place,
and authorize from one other. The only one I know are Apache, PAM and
Radius because you configure the whole authentication/authorization stack.

-- 
BOFH excuse #53:

Little hamster in running wheel had coronary; waiting for replacement to
be Fedexed from Wyoming



More information about the Kerberos mailing list