Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 89895 invoked from network); 1 Jun 2007 23:49:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Jun 2007 23:49:07 -0000 Received: (qmail 41001 invoked by uid 500); 1 Jun 2007 23:49:11 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 40828 invoked by uid 500); 1 Jun 2007 23:49:10 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 40816 invoked by uid 99); 1 Jun 2007 23:49:10 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jun 2007 16:49:10 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of akarasulu@gmail.com designates 64.233.162.239 as permitted sender) Received: from [64.233.162.239] (HELO nz-out-0506.google.com) (64.233.162.239) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jun 2007 16:49:05 -0700 Received: by nz-out-0506.google.com with SMTP id i1so585776nzh for ; Fri, 01 Jun 2007 16:48:44 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=V6iyKEAZx8PssiHQm9pQlFCcfIK7pggc2Ynkpu9n9+iGl8v65RimAkIlswNa0lR4iB2nwSDLonpb7IuCKkt9NvogHqr+Fql9mtgC9wRKU9sznhevLWlu2NjDKRSLou59nl5i3weqvtDON5ON8DgUuCYJqLgRizuB83eQZy1+5i0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=M4sm9WN9ic8fAD3YT1deLwyEiTseNm446cBmhuO6jOp2AccehM9ZreY1BK2v3zNLfqRvx94rcCabLn543YzrqhHQzKpSvv5aKXPjKYLOy22Xr0HuK2juyxz9/8Onm7Y/mixI7Xvsw6fC6qrNPj58YaATOFxOhFjv70nlVhFwzXU= Received: by 10.142.89.9 with SMTP id m9mr114695wfb.1180741724212; Fri, 01 Jun 2007 16:48:44 -0700 (PDT) Received: by 10.142.101.21 with HTTP; Fri, 1 Jun 2007 16:48:44 -0700 (PDT) Message-ID: Date: Fri, 1 Jun 2007 19:48:44 -0400 From: "Alex Karasulu" Sender: akarasulu@gmail.com To: "Apache Directory Developers List" Subject: Re: OT kerberos, iwa and proxys In-Reply-To: <800df6390706011637y481f22c6raeb8274ce2882dc1@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_10056_12798174.1180741724184" References: <800df6390706011547k55ff636fva06b6c2cab7a13d@mail.gmail.com> <4660A5AF.6090704@apache.org> <800df6390706011606i28feb61cm9d86bcab21c00ca@mail.gmail.com> <800df6390706011637y481f22c6raeb8274ce2882dc1@mail.gmail.com> X-Google-Sender-Auth: bcee4a0af329bd78 X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_10056_12798174.1180741724184 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline What use case is this for or rather what is your aim with a KRB5 proxy? Alex On 6/1/07, Marc Boorshtein wrote: > > Nope. I know that the process of browser-->iis works, I wanted to put > a proxy in between. Browser<-->http proxy<-->iis > > I know all of the spengo stuff is done in headers so I think its ok > but I know this list has a lot of kereros knowledge so I wanted to get > some input on if the proxy would interfere with the authentication > process. > > Thanks > Marc > > On 6/1/07, Alex Karasulu wrote: > > SPNEGO does this. > > > > Alex > > > > On 6/1/07, Marc Boorshtein wrote: > > > > > > Thanks > > > > > > What I'm actually doing is trying to proxy the ticket as part of an > > > http request/response but I thought I had heard that kerberos tickets > > > could not be proxied unchanged. It sounds like that's not the case. > > > Ill read those links. > > > > > > Thanks! > > > Marc > > > > > > On 6/1/07, Emmanuel Lecharny wrote: > > > > Marc Boorshtein a =E9crit : > > > > > > > > > All, > > > > > > > > Hi Marc, > > > > > > > > > > > > > > I've got an kerberos question when cobined with integrated window= s > > > > > authentication. Can the process of authenticating the user to an > iis > > > > > server be proxied succesfully? > > > > > > > > so far, I think you just need to enable SPNEGO on you browser to do > so > > > > ( > > > > > > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=3D/= com.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html > > > > < > > > > > > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=3D/= com.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html > > > >) > > > > > > > > Of couse, this will be helpfull if you are just using a browser... > > > > Otherwise, your application will have to implement SPNEGO. FYI, we > have > > > > written a java codec for this protocol, but it has been sandboxed..= . > > > > Just tell us if you want it to be ressucitated. > > > > > > > > > > > > Emmanuel. > > > > > > > > > > > > > > Thanks for any input. > > > > > > > > > > Marc > > > > > > > > > > > > > > > On 6/1/07, Alex Karasulu wrote: > > > > > > > > > >> On 6/1/07, Emmanuel Lecharny wrote: > > > > >> > > > > >> SNIP > > > > >> > > > > >> BasicAttributes to a more ldap compliant BasicAttributesImpl...) > > > > >> > > > > >> > > > > >> What about renaming BasicAttributesImpl to just > LdapAttributes? Of > > > > >> course > > > > >> not in the 1.0 branch which would break backwards compatibility > of > > > > >> partitions but in the 1.5 branch? Guess really it's the 0.9.6br= anch > > > of > > > > >> shared for 1.5 of ApacheDS. > > > > >> > > > > >> Anyway this would be clearer no? > > > > >> > > > > >> Alex > > > > >> > > > > > > > > > > > > > > > > > > > ------=_Part_10056_12798174.1180741724184 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline What use case is this for or rather what is your aim with a KRB5 proxy?
=
Alex

On 6/1/07, Marc Boorshtein < mboorshtein@gmail.com> wrote:
Nope.  I know that the process of brows= er-->iis works, I wanted to put
a proxy in between. Browser<-->http proxy<-->iis

I k= now all of the spengo stuff is done in headers so I think its ok
but I k= now this list has a lot of kereros knowledge so I wanted to get
some inp= ut on if the proxy would interfere with the authentication
process.

Thanks
Marc

On 6/1/07, Alex Karasulu <akarasulu@apache.org> wrote:
= > SPNEGO does this.
>
> Alex
>
> On 6/1/07, Marc= Boorshtein < mboorshtein@gmail.com> wrot= e:
> >
> > Thanks
> >
> > What I'm = actually doing is trying to proxy the ticket as part of an
> > htt= p request/response but I thought I had heard that kerberos tickets
> > could not be proxied unchanged.  It sounds like tha= t's not the case.
> > Ill read those links.
> >
&g= t; > Thanks!
> > Marc
> >
> > On 6/1/07, Emma= nuel Lecharny < elecharny@apache.org> wrote:=
> > > Marc Boorshtein a =E9crit :
> > >
> &g= t; > > All,
> > >
> > > Hi Marc,
> >= >
> > > >
> > > > I've got an kerberos que= stion when cobined with integrated windows
> > > > authentic= ation.  Can the process of authenticating the user to an iis
&= gt; > > > server be proxied succesfully?
> > >
> > > so far, I think you just need to enabl= e SPNEGO on you browser to do so
> > > (
> >
> <= a href=3D"http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?t= opic=3D/com.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html"= > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=3D/co= m.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html
>= ; > > <
> >
> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=3D/co= m.ibm.websphere.base.doc/info/aes/ae/tsec_SPNEGO_config_web.html
>= ; > >)
> > >
> > > Of couse, this will be hel= pfull if you are just using a browser...
> > > Otherwise, your application will have to implement SPNEG= O. FYI, we have
> > > written a java codec for this protocol, b= ut it has been sandboxed...
> > > Just tell us if you want it t= o be ressucitated.
> > >
> > >
> > > Emmanuel.
> &g= t; >
> > > >
> > > > Thanks for any input.=
> > > >
> > > > Marc
> > > >
> > > >
> > > > On 6/1/07, Alex Karasulu <= ;akarasulu@apache.org> wrote= :
> > > >
> > > >> On 6/1/07, Emmanuel Lec= harny < elecharny@gmail.com> wrote:> > > >>
> > > >> SNIP
> > >= >>
> > > >> BasicAttributes to a more ldap complia= nt BasicAttributesImpl...)
> > > >>
> > > >>
> > > &g= t;> What about renaming  BasicAttributesImpl to just LdapAttri= butes?  Of
> > > >> course
> > > &g= t;> not in the=20 1.0 branch which would break backwards compatibility of
> > > &= gt;> partitions but in the 1.5 branch?  Guess really it's = the 0.9.6 branch
> > of
> > > >> shared for 1.5 = of ApacheDS.
> > > >>
> > > >> Anyway this would be= clearer no?
> > > >>
> > > >> Alex
= > > > >>
> > > >
> > >
> &g= t; >
> >
>

------=_Part_10056_12798174.1180741724184--