directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Implementing Kerberos on top of LDAP extended operations - contd.
Date Sun, 06 May 2012 20:59:15 GMT
On Sun, May 6, 2012 at 8:56 PM, Aleksander Adamowski
<apache-directory@olo.org.pl> wrote:
> Hi!
>
> Resurrecting the old thread about integrating Kerberos with LDAP (
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
> ), I'd like to share my recent progress in pursuing this idea.
>
> As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
> subject of my master's thesis, I've made a proof of concept
> implementation that demonstrates the idea in a working form. I've also
> given a nice short name to the resulting combined protocol - KrbLDAP.

Nice work. I went through your thesis as well.

> The thesis (available at
> https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
> ) presents the rationale behind my proposal and describes a proof of
> concept implementation (whose code I've made available on Github:
> https://github.com/aadamowski ). More information in my aforementioned
> blog post.
>
> During work on this, as a side effect, I've discovered several
> interoperability issues between MIT libkrb5 client and Apache DS's KDC
> implementation.

I looked at your workarounds for some of the issues. It's obvious from
your knowledge and how you solved the padata issue that you're more
than competent with our code base as well as LDAP & Kerberos
protocols. I highly advise contributing to the project here to make
your KrbLDAP protocol more accessible here at Apache Directory.

> While several issues still remain, some of them have already been
> addressed in the process (without it I wouldn't even be able to
> progress beyond initial message in the Kerberos exchange), e.g.:
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687
>
> I suppose that once the interoperability between MIT krb5 and Apache
> DS gets better, my proof of concept test will result in successful
> Kerberos ticket obtainment over KrbLDAP without any needed
> modifications in its code.
>
> Waiting anxiously for your feedback and constructive criticism,
> --
> Best Regards,
>   Aleksander Adamowski
>   http://olo.org.pl



-- 
Best Regards,
-- Alex

Mime
View raw message