Re: [Ganymede Dev] Re: many G... questions

[Luke Howard <lukeh@PADL.COM>]

>An additional question is how to represent the privileges that the
>Kerberos ticket is authenticating for.  Ganymede is designed to have
>its own record of the user account, and to rely on it to decide login
>and personae availability.  I imagine that changing Ganymede so that
>it referenced an external authenticator could certainly be done if
>need be, but I'm afraid I don't have enough experience with Kerberos
>to understand the advantages over simply entering the
>username/password pair.

Although some implementations of Kerberos (DCE, Windows 2000) also include
user and group identifiers in the authorization data field of the ticket,
the simplest (and most interoperable) way is to do name-based
authorization. Once a user is authenticated, you can ask Kerberos for the
authenticated user's principal name (which will include a realm). You
simply need some way of mapping this to a Ganymede user; eg. a regex
transform or an additional attribute in the user containing the principal
name.

Interestingly, UName*It (which is one of the few things "out there", not
that it's really out there, comparable to Ganymede) supported Kerberos
authentication. 

Now, if we ever finished that LDAP front-end to Ganymede, you could use
the LDAP backend in Heimdal to manage Kerberos principals with Ganymede
seamlessly :-)

-- Luke

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com

----------------------------------------------------------------------------
To make changes to your subscription to the Ganymede Dev mailing list, send
mail to majordomo@arlut.utexas.edu.

To unsubcribe, include the line

unsubscribe ganymede-dev

in the body of your mail message

Visit the Ganymede web page at http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------