directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksander Adamowski <apache-direct...@olo.org.pl>
Subject Implementing Kerberos on top of LDAP extended operations - contd.
Date Sun, 06 May 2012 17:56:59 GMT
Hi!

Resurrecting the old thread about integrating Kerberos with LDAP (
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
), I'd like to share my recent progress in pursuing this idea.

As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
subject of my master's thesis, I've made a proof of concept
implementation that demonstrates the idea in a working form. I've also
given a nice short name to the resulting combined protocol - KrbLDAP.

The thesis (available at
https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
) presents the rationale behind my proposal and describes a proof of
concept implementation (whose code I've made available on Github:
https://github.com/aadamowski ). More information in my aforementioned
blog post.

During work on this, as a side effect, I've discovered several
interoperability issues between MIT libkrb5 client and Apache DS's KDC
implementation.

While several issues still remain, some of them have already been
addressed in the process (without it I wouldn't even be able to
progress beyond initial message in the Kerberos exchange), e.g.:
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687

I suppose that once the interoperability between MIT krb5 and Apache
DS gets better, my proof of concept test will result in successful
Kerberos ticket obtainment over KrbLDAP without any needed
modifications in its code.

Waiting anxiously for your feedback and constructive criticism,
-- 
Best Regards,
  Aleksander Adamowski
  http://olo.org.pl

Mime
View raw message