[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Identity propagation in back-ldap by proxyAuthz control (Was: proxyAuthz propagation in back-ldap)

--On Wednesday, December 10, 2003 11:16 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

I guess the subject I initially used was obscure,
if not misleading.

Moreover, I guess the point is I'm hijacking a control
to do something a bit different from its intended usage.

I've certainly found this entire discussion interesting, because it in part ties into something we are trying to get working here. We have the following scenario:

Host A on a VLAN

Host B on the VLAN and on Stanford's public net

Host C on Stanford's public net, running OpenLDAP.

We need Host A to be able to talk to Host C.

Our main issue is that we use Kerberos authentication for everything. I'm not clear that kerberos works on the VLAN (Host A is a server run by a different department). The idea so far has been:

B strictly controls what hosts can talk to it via tcpwrappers (or something similar).

B has its own kerberos identity, which it uses to bind to C to get access to the attributes that department needs. However, A is the host that needs the attributes. So what I need is for A to be able to bind anonymously to B, and B to then bind in an authenticated fashion to C. So I guess this is the Proxy Anonymous, Forward Authenticated scenario that Kurt said is nonsense? -- Not sure. If Kerberos does work on the VLAN, it gets much simpler, where I simply have the Proxy Auth, Forward Auth scenario.

If this is the 'nonsense' case, I think there are actual cases where it isn't nonsense. ;) Nor do I have a full understanding (yet) on how to get all this working.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html