any way to get user's ldap dn (or part of it) as part of the ticket?
Chris Hecker
checker at d6.com
Fri Aug 26 02:16:07 EDT 2016
Hmm, it looks like the authdata_plugin might be what I want?
Chris
On 2016-08-25 23:10, Chris Hecker wrote:
>
> I have a kerberized service that gets tickets from clients via
> krb5_rd_req and I get the client name from the ticket using
> krb5_unparse_name_flags. On the KDC, these clients are in the LDAP
> backend. Is there any way to get the dn (which has a UUID) as part of
> the ticket so I get can use it in the service? I know this is a bit of
> a confusion between authn and authz, but I also know Microsoft has a
> bunch of extensions that put a bunch of stuff into tickets that gets
> carried around, and I'm wondering if there's an extension mechanism that
> works for this. I'd like to avoid another round-trip to the backend to
> map from the client name to the UUID. I'm willing to modify my MIT KDC
> if necessary, although it'd be nice if was doable with a plugin in an
> "official" way or something.
>
> Thanks, or let me know if I'm thinking about this in the wrong way...
>
> Thanks,
> Chris
>
More information about the krbdev
mailing list