[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krbName

To: Rob Byrne - Sun Microsystems <rbyrne@france.sun.com>
Subject: Re: krbName
From: Booker Bense <bbense@networking.stanford.edu>
Date: Thu, 1 Jul 1999 08:50:36 -0700 (PDT)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <377A08D2.659D612A@france.sun.com>

On Wed, 30 Jun 1999, Rob Byrne - Sun Microsystems wrote:

> 
> Hi Booker,
> 
> "- IMHO, this is a really bad idea. One of the really nice advantages
> of the current krbName approach is that it effectively gives you a
> convient "group" or role mechanism. i.e. an ldap DN can have many
> krbNames. Also, there are potential uses for krbName beyond kerberos
> authentication. "
> 
> Could you give some examples of using  krbName in the way you descibe
> to  implement groups or roles ?
> 

- Sure, the most common thing that we do is create an ldap entity that 
is used in ACL's for restricted data items. For example : 

- All of our tac_plus servers use an authenticated ldap lookup to 
make authorization decisions. Rather than create an ldap entity 
for each server, we create a "Reader of attribute X" entity and 
add the appropriate krbNames to this entity. 

- Booker C. Bense

Prev by Date: Re: The new mail500: first version
Next by Date: [no subject]
Index(es):
- Chronological
- Thread