Le 5/6/12 7:56 PM, Aleksander Adamowski a écrit :
Hi!
Resurrecting the old thread about integrating Kerberos with LDAP (
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
), I'd like to share my recent progress in pursuing this idea.
Good !
As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
subject of my master's thesis, I've made a proof of concept
implementation that demonstrates the idea in a working form. I've also
given a nice short name to the resulting combined protocol - KrbLDAP.
Barely possible to pronounce, but still, sounds good :)
The thesis (available at
https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
) presents the rationale behind my proposal and describes a proof of
concept implementation (whose code I've made available on Github:
https://github.com/aadamowski ). More information in my aforementioned
blog post.
I'll read this paper asap...
During work on this, as a side effect, I've discovered several
interoperability issues between MIT libkrb5 client and Apache DS's KDC
implementation.
ApacheDS implem is far from being perfect ! I'd say that since 2007, we
have not worked a lot on it as we had to work full steam on the server
itself.
While several issues still remain, some of them have already been
addressed in the process (without it I wouldn't even be able to
progress beyond initial message in the Kerberos exchange), e.g.:
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687
Yeah, Kiran was very helpful here...
I suppose that once the interoperability between MIT krb5 and Apache
DS gets better, my proof of concept test will result in successful
Kerberos ticket obtainment over KrbLDAP without any needed
modifications in its code.
Waiting anxiously for your feedback and constructive criticism,
The best here would be for you to jump in the band wagon ! If you are
interested in participating in the Kerberos effort, we can be helping
you to understand how the current code is working. IMO, that woud be the
best possible solution, as we have a little knowledge about Kerberos
(except when it comes to encode/decode the messages, and a few more
things aside), but at least, we know how the server is implemented.
It's not that complex to become a contributor ! And we would really
value some contributor who has a deep knowledge on Kerberos :) All in
all, providing a few patches that makes the server better is the best
way to get in !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
