wallet ldap question

Ross Smith rjsm at umich.edu
Tue Aug 28 15:47:39 EDT 2012


Hello,

I apologize if this is an incorrect list to send this to.

I am looking at implementing wallet to streamline the distribution of our
host keytabs, which I am fairly comfortable with how to setup in the
environment here.  We would like to use the ldap-attr to manage the acls,
but our ldap structure is incompatible with the existing ldap-attr code.

Instead of looking up the principle and checking an attribute, we would
like to look up a key and check if an attribute contains the principle to
grant access.   e.g. our ldap is structured like below

ou=,dn=,cn=,cn=my-wallet-group:
                 member: uid=rjsm
                 member: uid=foo
                 member: uid=bar

I'd like to be able to define an acl on my-wallet-group and check if the
principle matches one of the uids.

What is the best course of implementing something like this?  I was
planning to use the existing ldap-attr code as a starting point and
implement this there?  Is there another option that I should also consider?

Thanks,

Ross Smith <rjsm at umich.edu>
College of Engineering - CAEN - Unix and Linux Support


More information about the Kerberos mailing list