Thoughts on a Kerberos based open-authorization architecture.

John Hascall john at
Fri Mar 3 17:02:15 EST 2006

> What I had thought about was something much simpler.  You have a directory
> somewhere (maybe it could be LDAP; I have no strong feelings on this) that
> contains user/service (and "action" if you want it) data, with "enabled/
> disabled" information.  How you organize it is still up in the air at this
> point.  Anyway, the idea is that the application server sends the authz
> server a simple query - "can user X access service Y" (_not_ via LDAP; I
> was envisioning a simple UDP based request/response protocol, single
> round trip, wrapped in a Kerberos AP_REQ/AP_REP, using a ticket acquired
> via the host key).  The authz server replies "yes" or "no".

This is almost exactly what we've been doing at Iowa State for the
last dozen years or so.  The client side, is indeed very simple,
send message, get reply.  The server side I made arbitrarily complex
because it supports nested lists, and I invert and flatten the lists
in memory to make lookup as quick as possible.


More information about the krbdev mailing list