qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick van Rein <r...@openfortress.nl>
Subject Kerberos ticket naming: qpid/xxx should be amqp/xxx
Date Sat, 08 Jul 2017 21:00:59 GMT

I was pleased to see GSSAPI supported in Qpid Broker C++; I can think of
several uses of messaging where Kerberos' single sign-on is a blessing.

But the naming of the tickets as "qpid/host.name@REALM.NAME" is not as I
think it should be.  Clients nede to construct such names for their
ticket requests:
 - the "REALM.NAME" is the client's, or modified through KDC redirection
[or perhaps using draft-vanrein-dnstxt-krb1]
 - the "host.name" is derived from SRV records (it could be the domain
or host)
 - the service name, here "qpid" is commonly known to an implementation

The thing is that Qpid implementations may know what family they're
from, but a client should not have to guess what implementation is
running on a server it is trying to connect to.  We have a standard
protocol to escape from that :) and using "qpid/xxx" may work for Qpid
clients but others would be out of luck.  This would not be the case
with the normal pattern[0] that uses "amqp/host.name@REALM.NAME" instead.


As an example of this somewhat-vague text: we have
"ldap/host.name@REALM.NAME" instead of "openldap/host.name@REALM.NAME"
versus "389ds/host.name@REALM.NAME".  So OpenLDAP clients can access a
389DS directory and vice versa.  And nobody needs to try out many

FWIW, servers can actually accept multiple names in their keytab, so
backward compatibility is not an issue.  I do believe however, that the
default name should be set to "amqp/host.name@REALM.NAME" for Qpid.

I hope this is helpful!

Rick van Rein
OpenFortress.nl / ARPA2.net / InternetWide.org

To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message