Delegation and Moonshot

Luke Howard lukeh at
Mon Apr 4 00:38:13 EDT 2011

> winnowed according to policy at the AAA server.  Is that possible?

Sure, or ditto at the KDC. Obviously, there's a convenience vs privacy tradeoff: the AAA server needs to include in the assertion any attributes that may be required by delegatees, and these will be visible to the delegating service. If this is unacceptable, a model where the KDC contacts the IdP is better.

> values that are of interest to the app (SIDs, ...) and even map them
> to other things that are locally meaningful (UIDs, GIDs, ...).

I think this could be better done with something like Shibboleth and mapping to the local (non-URN) namespace. We have this working with Moonshot and OpenSSH/OpenLDAP authorization and it works well.

That said, map to any is implemented by MIT. Not by Heimdal though.

-- Luke

More information about the krbdev mailing list