Delegation and Moonshot
lukeh at padl.com
Mon Apr 4 00:38:13 EDT 2011
> winnowed according to policy at the AAA server. Is that possible?
Sure, or ditto at the KDC. Obviously, there's a convenience vs privacy tradeoff: the AAA server needs to include in the assertion any attributes that may be required by delegatees, and these will be visible to the delegating service. If this is unacceptable, a model where the KDC contacts the IdP is better.
> values that are of interest to the app (SIDs, ...) and even map them
> to other things that are locally meaningful (UIDs, GIDs, ...).
I think this could be better done with something like Shibboleth and mapping to the local (non-URN) namespace. We have this working with Moonshot and OpenSSH/OpenLDAP authorization and it works well.
That said, map to any is implemented by MIT. Not by Heimdal though.
More information about the krbdev