Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Kerberos Feature Request

At 8:43 AM +0000 2/12/04, Tim Alsop wrote:
Henry,

Thankyou for the examples. This helps understand your requirements. Comments below prefixed with Tim>

I don't know if I'd call them "requirements" yet, if ever.

-----Original Message-----
From: Henry B. Hotz [<mailto:email@hidden>mailto:email@hidden]
Sent: 11 February 2004 23:01
To: Tim Alsop; email@hidden; email@hidden; email@hidden
Cc: Dj Byrne
Subject: RE: Kerberos Feature Request

Use case 1: I need to control access to some information based on ITAR (US Export) regulations. There is an existing LDAP attribute listing whether each kerberos user is a "US Person".

KDC queries LDAP for each ticket request for that attribute to see if it's true. If so put the info in the authorization data.

If not, or if LDAP is down, then leave it blank or set it false.
Services that care need to check it.

Tim> The KDC does not have to query the LDAP directory - this can be done after authentication has taken place using a pam module (for example) or an authorisation exit/module in the application/service. This approach is commonly used thoughout the Kerberos community. The confusion is introduced because Microsoft have chosen to transport authorisation data inside Kerberos tickets, but this has disadvantages and is not considered by some as being the best architecture. We find that most people want to use Kerberos to authenticate a user to an applicationk and then once they know who the user is, they should determine whether that user can access the application by using a standard LDAP lookup ... If the LDAP directory supports Kerberos binding (ie. SASL/GSS/Kerberos) then the forwarded Kerberos credentials available at the application can be used to bind with the directory to securely read the authorisation attributes.

You're describing how people could do it now (which is fine!). I think I'm describing a simple example of how the optional authorization data was originally intended to be used.

Use case 3: I don't want to pay Microsoft all the fees for their server.
Tap into all the open information about how to set up the windows information on an open LDAP server. Then proceed as in case 2. (Alternatively you could construct a PAC attribute ahead of time on the LDAP side and just copy it into the ticket.)

Tim> This is a clear potential requirement, but as I commented before - do you realy think Microsoft would allow such a product to exist ? If it did, then they would loose sales of Active Directory and would likely do their best to kill the product concerned ??? Just my opinion - maybe being over cautious !!

I suspect Microsoft wouldn't like it at all. OTOH what can they do? They are already tinkering with the LDAP schema as much as they probably can.

There are already lots of people inspecting the AD LDAP schema so it can be duplicated on an Open LDAP server. Apple already bundles an LDAP server with a Kerberos server to provide AD functionality. Adding correctly-formatted PAC data to the Kerberos tickets is a pretty small piece of the puzzle, and only provides an incremental improvement in compatibility AFAIK. (I'm not a Windows expert.)
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
email@hidden, or email@hidden
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.