[16743] in Kerberos_V5_Development
Re: Delegation and Moonshot
daemon@ATHENA.MIT.EDU (Luke Howard)
Mon Apr 4 00:38:35 2011
In-Reply-To: <BANLkTin2uW=-xE8wm7SayHOWZKE-z5dJqg@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8G4)
Message-Id: <933651F3-7B3D-4C40-833E-40F86E85F9D9@padl.com>
From: Luke Howard <lukeh@padl.com>
Date: Mon, 4 Apr 2011 14:38:13 +1000
To: Nico Williams <nico@cryptonector.com>
Cc: Moonshot community list <moonshot-community@jiscmail.ac.uk>,
"krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> winnowed according to policy at the AAA server. Is that possible?
Sure, or ditto at the KDC. Obviously, there's a convenience vs privacy tradeoff: the AAA server needs to include in the assertion any attributes that may be required by delegatees, and these will be visible to the delegating service. If this is unacceptable, a model where the KDC contacts the IdP is better.
> values that are of interest to the app (SIDs, ...) and even map them
> to other things that are locally meaningful (UIDs, GIDs, ...).
I think this could be better done with something like Shibboleth and mapping to the local (non-URN) namespace. We have this working with Moonshot and OpenSSH/OpenLDAP authorization and it works well.
That said, map to any is implemented by MIT. Not by Heimdal though.
-- Luke
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
