[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ganymede Dev] Re: many G... questions

*Date*	Thu, 4 Jul 2002 19:45:03 -0500
*From*	Jonathan Abbey <jonabbey@arlut.utexas.edu>

On Fri, Jul 05, 2002 at 10:38:08AM +1000, Luke Howard wrote:
| 
| Although some implementations of Kerberos (DCE, Windows 2000) also include
| user and group identifiers in the authorization data field of the ticket,
| the simplest (and most interoperable) way is to do name-based
| authorization. Once a user is authenticated, you can ask Kerberos for the
| authenticated user's principal name (which will include a realm). You
| simply need some way of mapping this to a Ganymede user; eg. a regex
| transform or an additional attribute in the user containing the principal
| name.

So, what form does the ticket take?  As I understand it, the ticket is
meant to be passed to a service requesting authentication through a
public key managed transfer, yes?  Or could the client simply send a
fixed binary ticket to the server over an RMI/SSL transfer, and then
have the server check the ticket out against the ticket issuing
agency?

| Interestingly, UName*It (which is one of the few things "out there", not
| that it's really out there, comparable to Ganymede) supported Kerberos
| authentication. 
| 
| Now, if we ever finished that LDAP front-end to Ganymede, you could use
| the LDAP backend in Heimdal to manage Kerberos principals with Ganymede
| seamlessly :-)

Ah, but that really does get us to the question of derivable types and
of hierarchical containment, doesn't it? ;-)

| -- Luke
| 
| --
| Luke Howard | lukehoward.com
| PADL Software | www.padl.com

-- 
-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX     http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------
To make changes to your subscription to the Ganymede Dev mailing list, send
mail to majordomo@arlut.utexas.edu.

To unsubcribe, include the line

unsubscribe ganymede-dev

in the body of your mail message

Visit the Ganymede web page at http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------

Follow-Ups:
- Re: [Ganymede Dev] Re: many G... questions
  - From: Luke Howard <lukeh@PADL.COM>
- Re: [Ganymede Dev] Re: many G... questions
  - From: Luke Howard <lukeh@PADL.COM>

References:
- [Ganymede Dev] Re: many G... questions
  - From: Jonathan Abbey <jonabbey@arlut.utexas.edu>
- [Ganymede Dev] Re: many G... questions
  - From: Stephan Wiesand <wiesand@ifh.de>
- Re: [Ganymede Dev] Re: many G... questions
  - From: Jonathan Abbey <jonabbey@arlut.utexas.edu>
- Re: [Ganymede Dev] Re: many G... questions
  - From: Luke Howard <lukeh@PADL.COM>

Re: [Ganymede Dev] Re: many G... questions

From: Jonathan Abbey <jonabbey@arlut.utexas.edu>

Prev by Date: Re: [Ganymede Dev] Re: many G... questions
Next by Date: Re: [Ganymede Dev] Re: many G... questions
Previous by thread: Re: [Ganymede Dev] Re: many G... questions
Next by thread: Re: [Ganymede Dev] Re: many G... questions
Index(es):
- Main
- Thread