[32580] in Kerberos
Re: Kerberos and LDAP for Authorization
daemon@ATHENA.MIT.EDU (Guillaume Rousse)
Thu Aug 19 05:03:49 2010
Message-ID: <4C6CF370.40305@inria.fr>
Date: Thu, 19 Aug 2010 11:03:44 +0200
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <4C6C66F9.3040908@cbnco.com>
Content-Type: multipart/mixed; boundary="===============2034984564=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2034984564==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms090803000600060306020006"
This is a cryptographically signed message in MIME format.
--------------ms090803000600060306020006
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Le 19/08/2010 01:04, Bram Cymet a =E9crit :
> Hi,
>=20
> I am working on using Kerberos and LDAP together. Replacing the kdb wit=
h
> LDAP seems simple enough.
I guess you're speaking of KDC, and I don't know why you would like to
replace the KDC by the LDAP server.
> What I am wondering is: is it possible to send
> back Authorization details from LDAP with the Kerberos ticket or do
> Applications have to talk directly to LDAP to get the users
> Authorization details?
Kerberos is an authentication protocol only, excepted in Microsoft
world. It can only tells you "this is an authenticated user". If you
want to apply user-based, or group-based, authorizations to an
application, you have to use a suitable backend, such as an LDAP server.
And they are really few applications able to authenticate in one place,
and authorize from one other. The only one I know are Apache, PAM and
Radius because you configure the whole authentication/authorization stack=
=2E
--=20
BOFH excuse #53:
Little hamster in running wheel had coronary; waiting for replacement to
be Fedexed from Wyoming
--------------ms090803000600060306020006--
--===============2034984564==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2034984564==--
