Hi, I have set up a Kerberos realm. A user and a service (let's say a database) are both included as principals in KDC database and the service restricts access to */dbu...@example.com. User and service can communicate perfectly using a database CLI at the users machine.
Now these days CLIs aren't "state-of-the-art" anymore and $managers refuse to use them. Let's throw a long discussion and platform independent, Web2.0 ready and more buzzwords into the pot and we get the need for a browser based web frontend to the service. And that's the point where I do not get the full picture about Kerberos. How would that work in a fully kerberized environment using all these great features like single-sign-on and never transmitting a password over the wire? For sure, I would have to add the webserver to the KDC database, but what then? Would I add the webserver principal to the ACL list of the service and add another authentication/authorization layer into the web application? Could I somehow forward the users ticket for the service to the webserver and make the application to give it to the service proving this way that the user requested access to the service? That would keep all authentication on service side, but is it a good idea to give a service ticket to another machine? Would that even work given that the users machine IP# is added to the tickets, AFAICS? In the current setup the software involved are MIT Kerberos, an OpenLDAP server as service, e.g. phpLDAPadmin as web application, Apache httpd running it, and various browsers used to access it running on different OS's. But I'm more interested in the general Kerberos idea how to do that. However, if you point me to specific software I should use in this setup I would be happy, too. Thanks in advance for some enlightenment. Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems and Networks Duesseldorfer Strasse 40a 65760 Eschborn Germany Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos