A Kerberos client would be great to have.  Enrique and I often spoke about having such a client to not have to deal with the ugliness of the the various KRB5 login modules supported by JVM vendors.

It would clean up much of the nasty code in Tsec/ADS and would make it easier to manage the configuration of Tsec/ADS itself.


On 2/19/07, David Jencks <david_jencks@yahoo.com> wrote:

On Feb 18, 2007, at 6:30 PM, Enrique Rodriguez wrote:

> On 2/18/07, David Jencks <david_jencks@yahoo.com> wrote:
>> ...
>> On a conceivably related note, triplesec has some nasty code to try
>> to find a sun or ibm kerberos LoginModule.... do you have one or know
>> how to write one?  I think having our own would be pretty handy.
> Wait ... can you clarify?  I wrote a LoginModule once but I think it
> was just to get out of having to use the JDK's configuration system
> (conf files, properties ...).  I realized just now that maybe you
> meant writing an entire Kerberos client that didn't rely on underlying
> com.sun classes.  In which case, we've talked about doing that for a
> long time, most notably so we could support OTP's, IDfusion,
> authorization payload, smart cards, or modern configuration
> mechanisms.  As with our other server protocols, we have a lot of the
> guts to do a client library.
> Is a Kerberos client implementation what you asking for?

I think so.... I'd like a Krb5LoginModule that I can use on either
sun or ibm jdks without it having to test which one it's running on.

I'm need to study jGSS more to make sense of your previous answer :-)

many thanks
david jencks

> Enrique