Kerberos and LDAP for Authorization
Guillaume Rousse
Guillaume.Rousse at inria.fr
Thu Aug 19 05:03:44 EDT 2010
Le 19/08/2010 01:04, Bram Cymet a écrit :
> Hi,
>
> I am working on using Kerberos and LDAP together. Replacing the kdb with
> LDAP seems simple enough.
I guess you're speaking of KDC, and I don't know why you would like to
replace the KDC by the LDAP server.
> What I am wondering is: is it possible to send
> back Authorization details from LDAP with the Kerberos ticket or do
> Applications have to talk directly to LDAP to get the users
> Authorization details?
Kerberos is an authentication protocol only, excepted in Microsoft
world. It can only tells you "this is an authenticated user". If you
want to apply user-based, or group-based, authorizations to an
application, you have to use a suitable backend, such as an LDAP server.
And they are really few applications able to authenticate in one place,
and authorize from one other. The only one I know are Apache, PAM and
Radius because you configure the whole authentication/authorization stack.
--
BOFH excuse #53:
Little hamster in running wheel had coronary; waiting for replacement to
be Fedexed from Wyoming
More information about the Kerberos
mailing list