Wallet: LDAP

Russ Allbery rra at stanford.edu
Thu Jun 14 00:00:20 EDT 2012

Jan-Piet Mens <jpmens.dns at gmail.com> writes:

> I think I'm getting the hang of Wallet (0.12) even though I have a pile
> of questions (mainly concerning ACLs) I'll save for another time. :)

> A bit of `grep' through documentation and source show that the LDAP
> verifyer (I believe that's the term) hasn't been implemented yet.

You may want to grab the latest Git version, which has an implementation
(although it may still not be quite what you want).  It's linked off of
<http://www.eyrie.org/~eagle/software/wallet/>.  I really need to get
around to making another release.

> I've configured NETDB_{REMCTL_CACHE,HOST} in `wallet.conf'. I've also
> added a small script to `remctl.conf':

>         netdb node-roles /usr/local/bin/mynetdb ANYUSER

> All of that works. 

> `mynetdb' is:

>         #!/bin/sh

>         # handle args
>         #       argv[1] contains principal requested by Wallet client
>         #       argv[2] contains "name" (or is that role name?) in
>         #           Wallet ACL

>         # do the magic: find principal, etc. and:

>         echo "user"
>         exit 0

> The Wallet client reacts correctly to that output; if my script returns
> anything other than "admin", "user" or "team" (gleaned from ACL::NetDB)
> or exits with 1, the Wallet client tells me the principal is not
> authorized to get the requested object.

> Am I on the right track or is all of this horribly wrong?

Oh, that's a neat idea.  Sort of a cool way of faking an arbitrary ACL
plugin.  Yes, that should work fine.

> And since I don't know anything of NetDB: what is the difference (as far
> as Wallet is concerned) between user, team and admin?

None whatsoever.

Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list