directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRKRB-132) Update the Kerberos part in Directory Studio in favor of Kerby
Date Sun, 07 May 2017 09:36:04 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999750#comment-15999750
] 

Stefan Seelmann edited comment on DIRKRB-132 at 5/7/17 9:35 AM:
----------------------------------------------------------------

In Studio there are tow usages of Kerberos:

1. Use of GSSAPI to authenticate to an LDAP server. There is an UI to ask the user for Kerberos
specific parameters (use native TGT or obtain a new TGT, use of /etc/krb5.conf or manually
define KDC parameters) which used to configure the connection provider. Currently there are
still two providers, JNDI and Apache LDAP API. The JNDI one will be removed anyway at some
point. The LDAP API provider uses the SaslGssApiRequest class of the LDAP API client, which
in the end uses "javax.security.auth" and Krb5LoginModule from JDK. Most nasty problem that
user have is that on Windows Java cannot use the native TGT, can Kerby help with that?

2. Configuration UI of the Kerberos server part in ApacheDS.

So all in all the Studio doesn't have much Kerberos specific parts, it just used and configures
the parts from LDAP API and ApacheDS.




was (Author: seelmann):
In Studio there are tow usages of Kerberos:

1. Use of GSSAPI to authenticate to an LDAP server. There is an UI to ask the user for Kerberos
specific parameters (use native TGT or obtain a new TGT, use of /etc/krb5.conf or manually
define KDC parameters) which used to configure the connection provider. Currently there are
still two providers, JNDI and Apache LDAP API. The JNDI one will be removed anyway at some
point. The LDAP API provider uses the SaslGssApiRequest class of the LDAP API client, which
in the end uses "javax.security.auth" and Krb5LoginModule from JDK. Most nasty problem that
user have is that on Windows Java cannot use the native TGT, can Kerby help with that?

2. Configuration UI of the Kerberos server part in ApacheDS.

So all in all the Studio doesn't have much Kerberos specific parts, it just used the parts
from LDAP API and ApacheDS.



> Update the Kerberos part in Directory Studio in favor of Kerby
> --------------------------------------------------------------
>
>                 Key: DIRKRB-132
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-132
>             Project: Directory Kerberos
>          Issue Type: Sub-task
>            Reporter: Kai Zheng
>             Fix For: 2.0.0-RC1
>
>
> As discussed in the mailing list, we would decouple Kerberos logics from the Directory
related projects and codes, to better maintain the dependencies and avoid the complexities.
The Directory Studio should be also taken care of, but I'm not sure we would totally remove
the embedded KDC server from the tool itself since that involves compatibility concern. Please
give your feedback here, thanks.
> Updated and re-purposed, according to [~akiran]'s email:
> {quote}
> that feature will remain there, later will be swapped with Kerby's core when it is ready,
but the
> Kerberos feature of ApacheDS stays.
> In the end we have two:
> 1. Embedded Kerby in ApacheDS
> 2. Standalone Kerby
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message