From: alex@milivojevic.org
I'm abusing the fact that all users have accounts on one of AD domains.
Ahhh, so let me get this straight ... Your users are virtual, yet they have real accounts in ADS? Is this just for LAN? Or are you an ISP/ASP?
The "Unix" services are not aware of it. They simply authenticate user against flat userspace on LDAP server, and the LDAP/saslauthd component is smart enough to contact appropriate AD domain.
Ahhh, a very interesting setup indeed. Are you using ADS because the users are normally logging into Windows? [ And this is a LAN setup, not an ISP/ASP? ]
So, no I'm not using Kerberos as such, because in reallity the clients users have can't use it either (reason is simple, most Windows software don't talk neither Kerberos nor SASL - they are all username/password based with option to pass it over SSL/TLS).
Actually, that's not true. You can replaced NT's GINA with pGINA (pluggable GINA) and authenticate and setup your credentials against various authentication/directory services.
Unless, of course, you are using software that absolutely requires ADS.
I'm simply abusing the fact I can authenticate against AD domain using Kerberos as protocol.
Correct. Again, I'm curious if this is because you already use ADS for other purposes? Or someone decided that ADS was "easier" to support?
So the question is. If I have user-a and user-b, where user-a exists as principal user-1@domain-1, and user-b exists as principal user-2 @domain-2, can I have FDS authenticate the user against appropriate domain if passed only the "id=user-a,dc=mydomain,dc=com" or "id=user-b,dc=mydomain,dc=com"? No SASL, no Kerberos mumbo- jumbo all the way from the user's client software to LDAP server (what happens between LDAP server onwards can be anything, as long as it works).
It seems so based on the page I sent you. Although I think you might have to change your string slightly.
The docs explicitly stated that 1 server _can_ authenticate against _multiple_ realms. I don't see how your setup is different, except for using the MS-Kerberos protocol which has been integrated into newer Kerberos client implementations.
-- Bryan J. Smith mailto:b.j.smith@ieee.org
Bryan J. Smith b.j.smith@ieee.org wrote:
It seems so based on the page I sent you. Although I think you might have to change your string slightly.
The docs explicitly stated that 1 server _can_ authenticate against _multiple_ realms. I don't see how your setup is different, except for using the MS-Kerberos protocol which has been integrated into newer Kerberos client implementations.
Oh, well. Than the only way to check it out is for me is to attempt to implement it and see how it goes. I was just hoping somebody already did it (or at least attempted to do it), and could tell me if it works or doesn't work.