[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Identity propagation in back-ldap by proxyAuthz control (Was: proxyAuthz propagation in back-ldap)
--On Wednesday, December 10, 2003 11:16 PM +0100 Pierangelo Masarati
<ando@sys-net.it> wrote:
I guess the subject I initially used was obscure,
if not misleading.
Moreover, I guess the point is I'm hijacking a control
to do something a bit different from its intended usage.
I've certainly found this entire discussion interesting, because it in part
ties into something we are trying to get working here. We have the
following scenario:
Host A on a VLAN
Host B on the VLAN and on Stanford's public net
Host C on Stanford's public net, running OpenLDAP.
We need Host A to be able to talk to Host C.
Our main issue is that we use Kerberos authentication for everything. I'm
not clear that kerberos works on the VLAN (Host A is a server run by a
different department). The idea so far has been:
B strictly controls what hosts can talk to it via tcpwrappers (or something
similar).
B has its own kerberos identity, which it uses to bind to C to get access
to the attributes that department needs. However, A is the host that needs
the attributes. So what I need is for A to be able to bind anonymously to
B, and B to then bind in an authenticated fashion to C. So I guess this is
the Proxy Anonymous, Forward Authenticated scenario that Kurt said is
nonsense? -- Not sure. If Kerberos does work on the VLAN, it gets much
simpler, where I simply have the Proxy Auth, Forward Auth scenario.
If this is the 'nonsense' case, I think there are actual cases where it
isn't nonsense. ;) Nor do I have a full understanding (yet) on how to get
all this working.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html