Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos Feature Request

I probably should send this to the IETF group, but I'm not on their mailing lists. (Apologies if the cross-posting causes problems.) It would be *nice* if all Kerberos distributions added this feature the same way.

One of the famous things that Microsoft did in their AD Kerberos implementation is added authorization data to the (supposedly optional) PAC field that is necessary when using certain other Microsoft functionality. AFAIK all of the information added is also contained in the LDAP directory that AD also provides.

I do not think it makes any sense for a (non-Microsoft) Kerberos server to directly maintain this data. Rather it should have a mechanism for acquiring the data from an external source, such as an LDAP directory.

My request is that the Kerberos community agree on a standard external interface to get that data. If the interface itself were standardized then the work of connecting that interface to the appropriate AD attributes could be done independently of any Kerberos server, and could be updated as Microsoft updates their schema independent of Kerberos versions. It would also make the use of PAC data in non-Microsoft environments much easier to consider.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.