no way to get LDAP info with tickets, is there?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

no way to get LDAP info with tickets, is there?

Chris Hecker

My krb5 db is in LDAP, and I'd like to get some LDAP info when
authenticating a princ, like at least the dn of the princ's record.  Is
there any way to do this, or do I need to do a whole separate LDAP query?

Thanks,
Chris

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: no way to get LDAP info with tickets, is there?

Chris Hecker
I am assuming the crickets means no.  :)

Chris
On Aug 12, 2015 6:36 PM, "Chris Hecker" <[hidden email]> wrote:

>
> My krb5 db is in LDAP, and I'd like to get some LDAP info when
> authenticating a princ, like at least the dn of the princ's record.  Is
> there any way to do this, or do I need to do a whole separate LDAP query?
>
> Thanks,
> Chris
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: no way to get LDAP info with tickets, is there?

Benjamin Kaduk-2
On Mon, 17 Aug 2015, Chris Hecker wrote:

> I am assuming the crickets means no.  :)

Well, that depends on how much code you are interested in writing.

A little bit more seriously, the kitten working group has talked some
about adopting a proposal for a "PAD" (Posix Authorization Data) container
which would be a natural fit for many of the attributes that would be
stored in LDAP.  But that's unlikely to be in a release for at least a few
years, indeed if it ever is.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: no way to get LDAP info with tickets, is there?

Dmitri Pal
On 08/17/2015 01:31 AM, Benjamin Kaduk wrote:

> On Mon, 17 Aug 2015, Chris Hecker wrote:
>
>> I am assuming the crickets means no.  :)
> Well, that depends on how much code you are interested in writing.
>
> A little bit more seriously, the kitten working group has talked some
> about adopting a proposal for a "PAD" (Posix Authorization Data) container
> which would be a natural fit for many of the attributes that would be
> stored in LDAP.  But that's unlikely to be in a release for at least a few
> years, indeed if it ever is.
>
> -Ben
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

Chris,

What is the reason for your interest?
If you want some quick results then it is probably not something that
can be done.
If you are interested in making things happen and have an ability to
pass information in the tickets eventually then let us join the forces.

--
Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: no way to get LDAP info with tickets, is there?

Chris Hecker
Yeah, I just needed the dn (or the uuid field) from LDAP for looking up in
a different db, but I can do it a different way in my setup.  Unfortunately
I don't have bandwidth right now to help out with The Right Solution.  I
would totally use it if it existed, though! :)

I assume this would be the POSIX version of what msft does by attaching a
bunch of stuff to the ticket?

Chris
On 08/17/2015 01:31 AM, Benjamin Kaduk wrote:

> On Mon, 17 Aug 2015, Chris Hecker wrote:
>
>> I am assuming the crickets means no.  :)
> Well, that depends on how much code you are interested in writing.
>
> A little bit more seriously, the kitten working group has talked some
> about adopting a proposal for a "PAD" (Posix Authorization Data) container
> which would be a natural fit for many of the attributes that would be
> stored in LDAP.  But that's unlikely to be in a release for at least a few
> years, indeed if it ever is.
>
> -Ben
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

Chris,

What is the reason for your interest?
If you want some quick results then it is probably not something that
can be done.
If you are interested in making things happen and have an ability to
pass information in the tickets eventually then let us join the forces.

--
Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: no way to get LDAP info with tickets, is there?

Benjamin Kaduk-2
On Mon, 17 Aug 2015, Chris Hecker wrote:

> Yeah, I just needed the dn (or the uuid field) from LDAP for looking up in
> a different db, but I can do it a different way in my setup.  Unfortunately
> I don't have bandwidth right now to help out with The Right Solution.  I
> would totally use it if it existed, though! :)
>
> I assume this would be the POSIX version of what msft does by attaching a
> bunch of stuff to the ticket?

Yes; the Microsoft thing is called the PAC and the IETF proposal goes by
the name PAD.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev