On Wed, Oct 03, 2007 at 12:29:00AM +0100, Simon Wilkinson wrote: > > >Does anyone have any mods to use LDAP to store the auth_to_local > >database? > > Somewhere or another I've got patches allowing this to be deferred to a > daemon that's contacted through a Unix socket (library provides principal > and username, dameon says yes or no). I never really got past prototyping > this as a proof of concept, and we've never got round to using it in > production, but I can dig out the code if anyone is interested. In the case > you're discussing it would allow the LDAP lookups to be performed > 'out-of-process'. This sounds interesting. In the solution I am envisioning, this daemon would take the hostname, principal and username and return whether the mapping is valid or not, i.e. whether that principal can log into that [EMAIL PROTECTED] This then would somehow end up back in the app through krb5_kuserok().
(Btw, it sounds like this could also be implemented using a centralized authorization server.) Am I understanding correctly? Thanks, -- Jos Backus jos at catnook.com ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
