Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B4E07FECA for ; Mon, 13 May 2013 23:19:07 +0000 (UTC) Received: (qmail 68036 invoked by uid 500); 13 May 2013 23:19:07 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 67962 invoked by uid 500); 13 May 2013 23:19:07 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 67949 invoked by uid 99); 13 May 2013 23:19:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 May 2013 23:19:07 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mboorshtein@gmail.com designates 209.85.212.49 as permitted sender) Received: from [209.85.212.49] (HELO mail-vb0-f49.google.com) (209.85.212.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 May 2013 23:19:01 +0000 Received: by mail-vb0-f49.google.com with SMTP id q12so5603074vbe.22 for ; Mon, 13 May 2013 16:18:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=HIYqOKxZPuBI2cEbHGgX6oAGBkZze0cmxm7O0Abbses=; b=Ct9pEoOxp0BIOeeGPwGbb84lrmF/34HpbPTOpVMITZHAOQcaxwH/q/9iA/4tMoFefT D7f08tD6hTTB7/BOnsQlX73I5VMF18mlx0l1BdrjYW2k1DnoiM66g0GJZcYDWvTcJDwd KYl72eJ/zDJA5o0dGVk8hU0qjuKAJish38or3WyBp15O/qfbFxSlheb/fGfkVNSRCsH6 QZSJVSjxlRFPfPWJfCYFNxgcvf/C4Y9MJWKCKT8EjlY8bQBm97V7fxbZxuwY/bpMUrIR uVTmmBTHdyDRAT7uv4NSyzyB5ujWkXZuAc9D/X5JvCIj5lJOqVYkCO0zY/JfpkAKuqhW 7QoQ== MIME-Version: 1.0 X-Received: by 10.220.41.84 with SMTP id n20mr7148427vce.25.1368487120641; Mon, 13 May 2013 16:18:40 -0700 (PDT) Received: by 10.59.8.9 with HTTP; Mon, 13 May 2013 16:18:40 -0700 (PDT) Received: by 10.59.8.9 with HTTP; Mon, 13 May 2013 16:18:40 -0700 (PDT) In-Reply-To: <7D664BE6CF058A4CB1A06984A7AA678F18082C7B94@SM-CALA-VXMB06A.swna.wdpr.disney.com> References: <7D664BE6CF058A4CB1A06984A7AA678F18082C7B47@SM-CALA-VXMB06A.swna.wdpr.disney.com> <7D664BE6CF058A4CB1A06984A7AA678F18082C7B94@SM-CALA-VXMB06A.swna.wdpr.disney.com> Date: Mon, 13 May 2013 19:18:40 -0400 Message-ID: Subject: RE: S4U2Proxy and S4U2Self on ApacheDS From: Marc Boorshtein To: Apache Directory Developers List Content-Type: multipart/alternative; boundary=047d7b3a96c6b4a59b04dca1bca3 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b3a96c6b4a59b04dca1bca3 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Are these all web services? On May 13, 2013 6:31 PM, "Wu, James C." wrote: > Thanks for the quick response. It seems I can=92t use these two protocols= at > the moment then. **** > > ** ** > > So let me describe my situation and maybe someone will give me some hint. > **** > > ** ** > > I have a service A that will launch a bunch of jobs for its client. The > jobs will interact with a Kerberos secured service B. I was thinking abou= t > deploying a service principal for A onto the host where A is running and > have it impersonate its clients using S4U2Proxy and S4U2Self protocols. *= * > ** > > ** ** > > Since S4U2Proxy and S4U2Self is not yet working on ApacheDS, then the > other option I can think of is to deploy a key for each client of A onto > the host where A is running. So A will request Kerberos ticket for its > client and use the ticket to access service B. The trouble is that > everytime I add a new client for A, I have to add a key entry into the > keytab, which is a pain. **** > > ** ** > > Does anyone knows better way to do it?**** > > ** ** > > Regards,**** > > ** ** > > james**** > > ** ** > > *From:* Marc Boorshtein [mailto:mboorshtein@gmail.com] > *Sent:* Monday, May 13, 2013 3:23 PM > *To:* Apache Directory Developers List > *Subject:* Re: S4U2Proxy and S4U2Self on ApacheDS**** > > ** ** > > I think that might have been me. While I was able to generate the > tickets, they were never accepted by IIS (when ISA tickets were) so I gav= e > up. But I was more focussed on the client APIs, not in having ApacheDS > being a KDC.**** > > ** ** > > Thanks**** > > Marc**** > > ** ** > > On Mon, May 13, 2013 at 6:06 PM, Wu, James C. > wrote:**** > > Hi, > > Does anyone know if ApacheDS support this two protocols? In 2010, someon= e > mentioned about trying to implement these protocols. Are the work done? I= f > so, how can I test them? > > Regards, > > James**** > > ** ** > --047d7b3a96c6b4a59b04dca1bca3 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable

Are these all web services?

On May 13, 2013 6:31 PM, "Wu, James C."= ; <James.C.Wu@disney.com>= ; wrote:

Thanks for the quick response. It seems I ca= n=92t use these two protocols at the moment then.

=A0<= /p>

So let me describe my = situation and maybe someone will give me some hint.

=A0<= /p>

I have a service A tha= t will launch a bunch of jobs for its client. The jobs will interact with a= Kerberos secured service B. I was thinking about deploying a service princ= ipal for A onto the host where A is running and have it impersonate its cli= ents using S4U2Proxy and S4U2Self protocols.

=A0<= /p>

Since S4U2Proxy and S4= U2Self is not yet working on ApacheDS, then the other option I can think of= is to deploy a key for each client of A onto the host where A is running. = So A will request Kerberos ticket for its client and use the ticket to acce= ss service B. The trouble is that everytime I add a new client for A, I hav= e to add a key entry into the keytab, which is a pain.

=A0<= /p>

Does anyone knows bett= er way to do it?

=A0<= /p>

Regards,=

=A0<= /p>

james

=A0<= /p>

From: Marc = Boorshtein [mailto:mboorshtein@gmail.com]
Sent: Monday, May 13, 2013 3:23 PM
To: Apache Directory De= velopers List
Subject: Re: S4U2Proxy and S4U2Self on ApacheDS<= /u>

=A0

I think that might have been me. =A0While I was able to generate the ticket= s, they were never accepted by IIS (when ISA tickets were) so I gave up. = =A0But I was more focussed on the client APIs, not in having ApacheDS being= a KDC.

=A0

Thanks

Marc

=A0

On Mon, May 13, 2013 at 6:= 06 PM, Wu, James C. <James.C.Wu@disney.com> wrote:

Hi,

Does anyone know if ApacheDS support this two protocols? =A0In 2= 010, someone mentioned about trying to implement these protocols. Are the w= ork done? If so, how can I test them?

Regards,

James

=A0

--047d7b3a96c6b4a59b04dca1bca3--