Authenticate as user/instance

Nico Williams nico at cryptonector.com
Tue Mar 13 15:57:10 EDT 2012


On Tue, Mar 13, 2012 at 1:59 PM, Tiago Elvas <tiagoelvas at gmail.com> wrote:
> The domain will be made of several machines, which will be running dedicated
> applications.
>
> These applications will be operated by persons. So, for several of these
> apps, we'll have profiles such as admin or user. So, in LDAP we'd have
> different profiles for the admin user for each application. The same
> "Operator" can have admin profile on one app and user profile on another
> one. That's why the need of identify principals like this, I guess...

I'm still confused by what you mean by LDAP profile.  Can you post
some example LDAP entries, and some reference for the schema that
you're using?

If by LDAP profile you mean user account in the POSIX/RFC2307bis
sense, then I think I understand exactly what you want to do, else I
don't yet understand :)

In any case, from the sounds of it it seems that you want to treat
foo/clientA.fqdn as distinct from foo/clientB.fqdn for the purposes of
_authorization_.  I.e., you want foo/clientA to have access to some
resources that foo/clientB doesn't have access to and vice-versa.

Nico
--



More information about the Kerberos mailing list