[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldap, kerberos and authorization by group membership
- To: openldap-technical@openldap.org
- Subject: ldap, kerberos and authorization by group membership
- From: brendan kearney <bpk678@gmail.com>
- Date: Fri, 15 Mar 2013 21:26:38 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=tM86MUsWsLlqRmtGPd814EaXO0MZVXy9GpsKix05yYI=; b=xqyrqyMCCr91IEtj1934RxvVZjC9/y4Pb655q//2RhiAUK68xIl8o+OLx6/uU49IYP /ivMQX0e/iD/kahhesX7cWQsO9rqCGXF//GZxdMdFIM/TNTDHOpZgw3+Ya/SI6dA4dRJ 7ZLindOWt4ko/fB7Iy9bkB7xOT21V0VuJ1+JTEdlJHgNFlKlSoZYsU7v5JaMOcxLSdEJ gmm0fhu8CgSz+wzKI8V8UtXcDpGkMepqdhZ+0+uW8xnMsK8319Ulo//E8dXvSIB+51RT 5DDUllWjBsB0YLegICA2051IZGRtqVht4ZzhlB3BxStTvktWX46e2ibV3s125NjaEj1f 9Guw==
all,
please excuse my ignorance, as i am still learning. i have started working with mit kerberos 5 and openldap. i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos. what i would like to accomplish is authorization based on group membership. i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages). am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames? the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid. based on group membership, certain functionality or access would be given to authenticated users. i have read and re-read the guide included with openldap, but am still unclear about what is needed. Below is some info about versions, etc... thank you in advance for any guidance.
OS: Fedora: 16 x86_64
OpenLDAP: 2.4.26-8
MIT Kerberos: 1.9.4-3
Cyrus SASL: 2.1.23-27
thank you,
brendan