Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6AE15C073 for ; Mon, 7 May 2012 19:11:25 +0000 (UTC) Received: (qmail 73041 invoked by uid 500); 7 May 2012 19:11:25 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 72984 invoked by uid 500); 7 May 2012 19:11:25 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 72972 invoked by uid 99); 7 May 2012 19:11:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 May 2012 19:11:25 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates 74.125.83.50 as permitted sender) Received: from [74.125.83.50] (HELO mail-ee0-f50.google.com) (74.125.83.50) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 May 2012 19:11:18 +0000 Received: by eekd41 with SMTP id d41so1646251eek.37 for ; Mon, 07 May 2012 12:10:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=3INXY2ODBVBq89IHMeLw3ikvrgMdJcVeqMHsg9FKv24=; b=PKCTTb2Q9sSpqzSDD5MGWqwqTvRPFubC7vz6MPqQBs0CL/mziLa9JsOXHCYPVCFepJ 9OJeWUcubvbKwrwXRvEqMcoTAuNcsSz8PO8dMi89ohj2P36waRe4XyjoJZ4947jS7FRr m8azPbAkoGlNBFnMEc8TnMOI/6M48Lb+hBtb39MdIbgwN4xk9NtUtDFO12Q+78hS0Eiw 8TQsBy5hD/2v54gk4Ww0OGJxc22ucE0PYVNscDc3yzCsTExtX2miRNt0Lz4UiRcKCSps MVdGLCTUvxUmZfR/lyXrVMbaGN2O9aRc9fmqGAd/CgBKB+6DOsvdj8uF5kPC6y9ygxB9 xi7A== Received: by 10.14.98.75 with SMTP id u51mr362830eef.35.1336417858150; Mon, 07 May 2012 12:10:58 -0700 (PDT) Received: from host-002.darty (235.73-227-89.dsl.completel.net. [89.227.73.235]) by mx.google.com with ESMTPS id u10sm74765291eem.1.2012.05.07.12.10.55 (version=SSLv3 cipher=OTHER); Mon, 07 May 2012 12:10:55 -0700 (PDT) Message-ID: <4FA81E3E.6000800@gmail.com> Date: Mon, 07 May 2012 21:10:54 +0200 From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= Reply-To: elecharny@apache.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: Implementing Kerberos on top of LDAP extended operations - contd. References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Le 5/6/12 7:56 PM, Aleksander Adamowski a écrit : > Hi! > > Resurrecting the old thread about integrating Kerberos with LDAP ( > http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181 > ), I'd like to share my recent progress in pursuing this idea. Good ! > > As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a > subject of my master's thesis, I've made a proof of concept > implementation that demonstrates the idea in a working form. I've also > given a nice short name to the resulting combined protocol - KrbLDAP. Barely possible to pronounce, but still, sounds good :) > > The thesis (available at > https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf > ) presents the rationale behind my proposal and describes a proof of > concept implementation (whose code I've made available on Github: > https://github.com/aadamowski ). More information in my aforementioned > blog post. I'll read this paper asap... > > During work on this, as a side effect, I've discovered several > interoperability issues between MIT libkrb5 client and Apache DS's KDC > implementation. ApacheDS implem is far from being perfect ! I'd say that since 2007, we have not worked a lot on it as we had to work full steam on the server itself. > > While several issues still remain, some of them have already been > addressed in the process (without it I wouldn't even be able to > progress beyond initial message in the Kerberos exchange), e.g.: > http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687 Yeah, Kiran was very helpful here... > > I suppose that once the interoperability between MIT krb5 and Apache > DS gets better, my proof of concept test will result in successful > Kerberos ticket obtainment over KrbLDAP without any needed > modifications in its code. > > Waiting anxiously for your feedback and constructive criticism, The best here would be for you to jump in the band wagon ! If you are interested in participating in the Kerberos effort, we can be helping you to understand how the current code is working. IMO, that woud be the best possible solution, as we have a little knowledge about Kerberos (except when it comes to encode/decode the messages, and a few more things aside), but at least, we know how the server is implemented. It's not that complex to become a contributor ! And we would really value some contributor who has a deep knowledge on Kerberos :) All in all, providing a few patches that makes the server better is the best way to get in ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com