> Le 15 mars 2024 à 17:17, Greg Hudson <ghud...@mit.edu> a écrit : > > On 3/15/24 06:15, Yoann Gini wrote: >> Informations about the principal (name and everything) could be extracted >> from the certificate. Principal and certificate contains the same >> informations. > > To issue a ticket, the KDC doesn't need to know directory-type information > such as real names, but it does need to know Kerberos-specific policy > information like "how long can the ticket expiration time be". That > information could presumably be standardized across clients, which is why I > suggested a template principal.
Understood! That's and interesting lead here. >> Other option I wonder is using the LDAP backend to answer dynamic content >> (we have an LDAP gateway in our codebase, so we can use it as a backend API >> between MIT Kerberos and our identity store). >> Doing so the main issue would be to know what Kerberos need to write, to >> handle it. > > The KDC does not need to write to the KDB, although it will attempt to do > writes to maintain account lockout state (which is irrelevant to the > configuration at hand). Attempts to write can be disabled via the settings > documented here: > > https://web.mit.edu/kerberos/krb5-latest/doc/admin/lockout.html#disable-lockout > > When synthesizing a client principal entry (or creating a template), be sure > to include the KRB5_KDB_REQUIRES_PRE_AUTH and KRB5_KDB_DISALLOW_SVR principal > flags. OK, thanks! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos