any way to get user's ldap dn (or part of it) as part of the ticket?
checker at d6.com
Fri Aug 26 02:10:15 EDT 2016
I have a kerberized service that gets tickets from clients via
krb5_rd_req and I get the client name from the ticket using
krb5_unparse_name_flags. On the KDC, these clients are in the LDAP
backend. Is there any way to get the dn (which has a UUID) as part of
the ticket so I get can use it in the service? I know this is a bit of
a confusion between authn and authz, but I also know Microsoft has a
bunch of extensions that put a bunch of stuff into tickets that gets
carried around, and I'm wondering if there's an extension mechanism that
works for this. I'd like to avoid another round-trip to the backend to
map from the client name to the UUID. I'm willing to modify my MIT KDC
if necessary, although it'd be nice if was doable with a plugin in an
"official" way or something.
Thanks, or let me know if I'm thinking about this in the wrong way...
More information about the krbdev