On Wed, 19 Dec 2007, Huie-Ying Lee wrote:
hi Huie-Ying,
>Initially, I was not sure whether KMF is the right place for this when
>Jan brought up the idea. However, after thinking it over a little bit,
>it makes more and more sense to me. Adding a new library with
>a new policy file will make things more complicate. Given that KMF supports
>many kmf_get_cert_xxx() APIs already. Adding kmf_map_cert_to_username()
>shouldn't be too odd.
I've just read through your pam_pkcs11 materials and what it
provides seems to fit in what we need for SunSSH. So, if KMF team was
willing to somehow expose this functionality through KMF API that would be
great.
from the list of mappers I would say that it should be enough to
support quite a large set of mappings. And there still was anything missing
for SunSSH/x509 project I'm definitely willing to write or help with a
mapper that would be needed.
I think that there might be not too large set of attributes to
define a mapping:
- a module name
- filename for "xxx -> user" mapping if needed
- ignore case if applicable
- a few attributes (host, port, password, ...) for directory-like
mapper like LDAP one
- ignore domain if applicable (eg. mail-to-user mapper)
- algorithm (eg. digest mapper)
I would be definitely willing to help with design for this, if
needed.
thanks, Jan.
--
Jan Pechanec
