any way to get user's ldap dn (or part of it) as part of the ticket?
checker at d6.com
Fri Aug 26 02:42:24 EDT 2016
Yeah, I want the UUID on the service that gets tickets from the clients
(so I can stop using the username as a db key, which was just a terrible
idea but hey, I was young).
So, to be clear, the client (my game) logs into the KDC, requests a
ticket to the service (the lobby server), and then logs into the lobby
server using this ticket. I'd like the lobby server to be able to get
the UUID (from the kdb LDAP backend) out of the ticket without talking
to the KDC/LDAP machine again over the wire. I don't particularly care
if the client can decrypt the UUID, but I guess it's slightly better if
they can't (which it sounds like is the case with authdata, it's
encrypted with the service key)?.
It looks like the greet client and server stuff are the things to look
On 2016-08-25 23:32, Greg Hudson wrote:
> On 08/26/2016 02:29 AM, Greg Hudson wrote:
>> Microsoft's PAC is visible to the server, not the client.
> Oops, I misread your question. You want this information in the server,
> so yes, you want authdata. Ignore everything I said about using padata.
> We do have an authdata plugin interface, but unfortunately it's
> unfinished and not public. Still, it's probably better than modifying
> the code.
> Authdata is encrypted in the AS-REP, so you don't have to worry about
> protecting the value. Negative authdata types are reserved for
> unregistered use (RFC 4120 section 5.2.6).
More information about the krbdev