In a core enterprise IT, you have 2 "systems": AuthN (authentication) and AuthZ (authorization). Kerberos fits in best as an AuthN system. It can very easily tie into LDAP which can support your AuthZ needs.
-- DK > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of bart.w.jenkins > Sent: Wednesday, June 02, 2004 1:12 PM > To: [EMAIL PROTECTED] > Subject: RBAC and Kerberos? > > > All, > I would love to use MIT's Kerberos, but it looks as though it > can NOT do Role Based Access Control (RBAC) out of the box. > It seems that MIT's Kerberos stores only principals and knows > nothing about any roles those principals might or might not > have. For any particular user, I would love to be able to > attach a list of roles that person plays. For example, for > user Joe, I need to be able to say that principal Joe has > roles: Admin, Superuser or Manager or Supervisor, or > Team1Leader etc. Then, when Joe authenticates to the KDC, if > both the principal (what Java JAAS calls the > subject) could also return a list of roles (JAAS principals), > I could then do RBAC. Microsoft had to add some separate > user-to-role database that is consulted when user's > authenticate in their Active Directory realm. I would like > to not have to do this. Does anyone know of a Kerberos > implementation that does RBAC and, BTW, works with Sun's JAAS > (Java security)? > > I could just have user Kerberos principals and Role > principals, but then when someone logged in with a Role user > id, I would not know who the underlying user was. It seems > that adding some Role attributes to the kerb principal would > help alot here. > > Thanks > > Bart > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
