Kerberos Feature Request
Brian Davidson
bdavids1 at gmu.edu
Wed Feb 11 14:54:21 EST 2004
On Wednesday, February 11, 2004, at 01:39 PM, Sam Hartman wrote:
>
> Folks, this discussion has drifted far enough away from reality that
> it is no longer appropriate for krbdev. Even if it drifts back to
> reality it's all been fairly well hashed out before.
>
> 1) You cannot add authorization data in an AS request, only a TGS
> request.
> If someone wants to propose a plugin API or more interestingly to
> implement it, discussing that here on krbdev would be fine.
How about loadable Authorization modules, which register callback
functions. During the construction of a Service Ticket reply, a
registered callback function would be called (along with the principal
name and the name of the service. If the PAC (DCE or Microsoft) is the
only place authorization information might be stored, then return a
pointer to a PAC. Even better, pass a pointer to a PAC structure as an
argument and return a boolean. If false is returned, then don't supply
a Service Ticket to the user.
The authorization module would be free to construct a PAC, given
knowledge of the principal and the service name.
I'm sure I've overlooked lots of little details, but wouldn't this
approach work? I can see a Samba and/or OpenLDAP group writing
authorization modules, so that the 'holy grail' of Kerberos + LDAP +
Samba == replace Active Directory can be achieved.
There also could be applications outside of just replacing AD servers.
If you don't receive a service ticket to begin with, you're denied
access to a service. That's a great start for centralized
authorization...
Brian Davidson
George Mason University
More information about the krbdev
mailing list