Provisioning and administrative tools for MIT KDC - Kerberos

This is a discussion on Provisioning and administrative tools for MIT KDC - Kerberos ; Hello, i am working with Kerberos MIT infrastructure to perform SSO for ICT operators in a Telecomunications company in Italy . I want to ask you the following question about the provisioning and the admin operations for the KDC: -Is ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Provisioning and administrative tools for MIT KDC

  1. Provisioning and administrative tools for MIT KDC

    Hello,
    i am working with Kerberos MIT infrastructure to perform SSO for ICT
    operators in a Telecomunications company in Italy .
    I want to ask you the following question about the provisioning and the
    admin operations for the KDC:

    -Is there any API interface (java, c,any other language) to perform
    administrative operations? (add a principal, change a password, delete a
    principal)


    We must perform automatic provisioning via a web application (jsp) so it
    seems to be not a good solution using the kadmin command via System
    Calls.

    The KDC is the MIT's one


    Thank you in advance.


    Vincenzo Carnuccio
    Value Team S.p.A.
    Via Panebianco, 293
    87100 Cosenza
    Tel. +39 0984 392 723
    Cel. +39 335 6486810
    Fax +39 0984 484 952
    Vincenzo.Carnuccio@valueteam.com
    http://www.valueteam.com

    CONFIDENTIALITY NOTICE -This message and its attachments (if any) may
    contain confidential, proprietary or legally privileged information and
    is intended only for the use of the addressee named above. No
    confidentiality or privilege is waived or lost by any mistransmission.
    If you are not the intended recipient of this message you are hereby
    notified that you must not use, disseminate, copy it in any form or take
    any action in reliance on it. If you have received this message in error
    please delete it and any copies of it and kindly inform the sender of
    this e-mail by replying or go to www.valueteam.com on 'contacts'.




  2. Re: Provisioning and administrative tools for MIT KDC

    >>>>> "CV" == Carnuccio Vincenzo writes:

    CV> Hello, i am working with Kerberos MIT infrastructure to perform
    CV> SSO for ICT operators in a Telecomunications company in Italy . I
    CV> want to ask you the following question about the provisioning and
    CV> the admin operations for the KDC:

    CV> -Is there any API interface (java, c,any other language) to
    CV> perform administrative operations? (add a principal, change a
    CV> password, delete a principal)


    CV> We must perform automatic provisioning via a web application (jsp)
    CV> so it seems to be not a good solution using the kadmin command via
    CV> System Calls.

    CV> The KDC is the MIT's one

    http://search.cpan.org/~korty/Authen...-0.09/Admin.pm

    CV> Thank you in advance.


    CV> Vincenzo Carnuccio Value Team S.p.A. Via Panebianco, 293 87100
    CV> Cosenza Tel. +39 0984 392 723 Cel. +39 335 6486810 Fax +39 0984
    CV> 484 952 Vincenzo.Carnuccio@valueteam.com http://www.valueteam.com

    CV> CONFIDENTIALITY NOTICE -This message and its attachments (if any)
    CV> may contain confidential, proprietary or legally privileged
    CV> information and is intended only for the use of the addressee
    CV> named above. No confidentiality or privilege is waived or lost by
    CV> any mistransmission. If you are not the intended recipient of
    CV> this message you are hereby notified that you must not use,
    CV> disseminate, copy it in any form or take any action in reliance on
    CV> it. If you have received this message in error please delete it
    CV> and any copies of it and kindly inform the sender of this e-mail
    CV> by replying or go to www.valueteam.com on 'contacts'.




    --
    Richard Silverman
    res@qoxp.net


  3. Re: Provisioning and administrative tools for MIT KDC

    res@qoxp.net replied to Vincenzo.Carnuccio@valueteam.com:
    ....
    > CV> -Is there any API interface (java, c,any other language) to
    > CV> perform administrative operations? (add a principal, change a
    > CV> password, delete a principal)
    >
    >
    > CV> We must perform automatic provisioning via a web application (jsp)
    > CV> so it seems to be not a good solution using the kadmin command via
    > CV> System Calls.
    >
    > CV> The KDC is the MIT's one
    >
    > http://search.cpan.org/~korty/Authen...-0.09/Admin.pm
    >
    > CV> Thank you in advance.


    The perl module is probably the best available at present.

    Recent versions of MIT kerberos should also export a C callable
    api for kadm5. With older versions of MIT this was also possible,
    but required extracting bits from built source for MIT k5.
    If you feel like experimenting, this may help,
    http://mailman.mit.edu/pipermail/krb...ch/005702.html

    There are also possibilities with java. I've got a java library
    that will do this, which I hope to make generally available shortly.
    It's undergoing review and final feature development right now. It uses
    jni and calls into gssrpc. A future version could be pure java, but
    that wasn't feasible right off.

    If you want a different java answer - opensolaris has a java library built
    into its source. It uses jni and calls into kadm5. Note CDDL licensing.
    Here's how to fetch a copy,

    do this,
    < find a filesystem with lots of space on a machine with mercurial >
    hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate
    then look here:
    onnv-gate/usr/src/OPENSOLARIS.LICENSE
    onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.c
    onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.java
    for more on solaris,
    http://opensolaris.org/os/project/onnv/
    You will probably have to work out your own build procedure.

    We didn't go with that for various reasons, but maybe it
    can meet your needs.

    -Marcus Watts

  4. Re: Provisioning and administrative tools for MIT KDC

    Hi Vincenzo,

    The NetDirector kerberos plugin was designed to provide exactly the
    functionality you're looking for.

    But there are some bugs with it, so I have it classified it as Beta.

    here's the links: www.netdirector.org

    description of kerberos plugin: http://emusoftware.com/content/view/208/231/

    please contact me if we can help.

    Best,

    --
    Greg Wallace
    Co-Founder and CEO
    Emu Software, Inc.
    Sponsor of the NetDirector Open Management Console Project
    www.netdirector.org
    o: 617.830.1835
    m: 919.247.3165
    skype: gregwallaceemu


    On Thu, January 10, 2008 9:51 pm, Richard E. Silverman wrote:
    >>>>>> "CV" == Carnuccio Vincenzo
    >>>>>> writes:

    >
    > CV> Hello, i am working with Kerberos MIT infrastructure to perform
    > CV> SSO for ICT operators in a Telecomunications company in Italy . I
    > CV> want to ask you the following question about the provisioning and
    > CV> the admin operations for the KDC:
    >
    > CV> -Is there any API interface (java, c,any other language) to
    > CV> perform administrative operations? (add a principal, change a
    > CV> password, delete a principal)
    >
    >
    > CV> We must perform automatic provisioning via a web application (jsp)
    > CV> so it seems to be not a good solution using the kadmin command via
    > CV> System Calls.
    >
    > CV> The KDC is the MIT's one
    >
    > http://search.cpan.org/~korty/Authen...-0.09/Admin.pm
    >
    > CV> Thank you in advance.
    >
    >
    > CV> Vincenzo Carnuccio Value Team S.p.A. Via Panebianco, 293 87100
    > CV> Cosenza Tel. +39 0984 392 723 Cel. +39 335 6486810 Fax +39 0984
    > CV> 484 952 Vincenzo.Carnuccio@valueteam.com http://www.valueteam.com
    >
    > CV> CONFIDENTIALITY NOTICE -This message and its attachments (if any)
    > CV> may contain confidential, proprietary or legally privileged
    > CV> information and is intended only for the use of the addressee
    > CV> named above. No confidentiality or privilege is waived or lost by
    > CV> any mistransmission. If you are not the intended recipient of
    > CV> this message you are hereby notified that you must not use,
    > CV> disseminate, copy it in any form or take any action in reliance on
    > CV> it. If you have received this message in error please delete it
    > CV> and any copies of it and kindly inform the sender of this e-mail
    > CV> by replying or go to www.valueteam.com on 'contacts'.
    >
    >
    >
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





  5. Re: Provisioning and administrative tools for MIT KDC

    Hi All,

    At the Fedora Users and Developer Conference yesterday they announced a
    new remote maagement project that might be interesting to people following
    this thread.

    You can find out more about it here: https://fedorahosted.org/func

    Best,

    Greg

    On Thu, January 10, 2008 10:59 pm, Marcus Watts wrote:
    > res@qoxp.net replied to Vincenzo.Carnuccio@valueteam.com:
    > ...
    >> CV> -Is there any API interface (java, c,any other language) to
    >> CV> perform administrative operations? (add a principal, change a
    >> CV> password, delete a principal)
    >>
    >>
    >> CV> We must perform automatic provisioning via a web application
    >> (jsp)
    >> CV> so it seems to be not a good solution using the kadmin command
    >> via
    >> CV> System Calls.
    >>
    >> CV> The KDC is the MIT's one
    >>
    >> http://search.cpan.org/~korty/Authen...-0.09/Admin.pm
    >>
    >> CV> Thank you in advance.

    >
    > The perl module is probably the best available at present.
    >
    > Recent versions of MIT kerberos should also export a C callable
    > api for kadm5. With older versions of MIT this was also possible,
    > but required extracting bits from built source for MIT k5.
    > If you feel like experimenting, this may help,
    > http://mailman.mit.edu/pipermail/krb...ch/005702.html
    >
    > There are also possibilities with java. I've got a java library
    > that will do this, which I hope to make generally available shortly.
    > It's undergoing review and final feature development right now. It uses
    > jni and calls into gssrpc. A future version could be pure java, but
    > that wasn't feasible right off.
    >
    > If you want a different java answer - opensolaris has a java library built
    > into its source. It uses jni and calls into kadm5. Note CDDL licensing.
    > Here's how to fetch a copy,
    >
    > do this,
    > < find a filesystem with lots of space on a machine with mercurial >
    > hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate
    > then look here:
    > onnv-gate/usr/src/OPENSOLARIS.LICENSE
    > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.c
    > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.java
    > for more on solaris,
    > http://opensolaris.org/os/project/onnv/
    > You will probably have to work out your own build procedure.
    >
    > We didn't go with that for various reasons, but maybe it
    > can meet your needs.
    >
    > -Marcus Watts
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    --
    Greg Wallace
    Co-Founder and CEO
    Emu Software, Inc.
    Sponsor of the NetDirector Open Management Console Project
    www.netdirector.org
    o: 617.830.1835
    m: 919.247.3165
    skype: gregwallaceemu

  6. Re: Provisioning and administrative tools for MIT KDC

    On Sun, Jan 13, 2008 at 05:59:07PM -0500, Greg Wallace wrote:
    > Hi All,
    >
    > At the Fedora Users and Developer Conference yesterday they announced a
    > new remote maagement project that might be interesting to people following
    > this thread.
    >
    > You can find out more about it here: https://fedorahosted.org/func


    Interesting. It looks a lot like Puppet (which is moving away from XMLRPC).

    http://http://reductivelabs.com/trac/puppet

    Jos

    > Best,
    >
    > Greg
    >
    > On Thu, January 10, 2008 10:59 pm, Marcus Watts wrote:
    > > res@qoxp.net replied to Vincenzo.Carnuccio@valueteam.com:
    > > ...
    > >> CV> -Is there any API interface (java, c,any other language) to
    > >> CV> perform administrative operations? (add a principal, change a
    > >> CV> password, delete a principal)
    > >>
    > >>
    > >> CV> We must perform automatic provisioning via a web application
    > >> (jsp)
    > >> CV> so it seems to be not a good solution using the kadmin command
    > >> via
    > >> CV> System Calls.
    > >>
    > >> CV> The KDC is the MIT's one
    > >>
    > >> http://search.cpan.org/~korty/Authen...-0.09/Admin.pm
    > >>
    > >> CV> Thank you in advance.

    > >
    > > The perl module is probably the best available at present.
    > >
    > > Recent versions of MIT kerberos should also export a C callable
    > > api for kadm5. With older versions of MIT this was also possible,
    > > but required extracting bits from built source for MIT k5.
    > > If you feel like experimenting, this may help,
    > > http://mailman.mit.edu/pipermail/krb...ch/005702.html
    > >
    > > There are also possibilities with java. I've got a java library
    > > that will do this, which I hope to make generally available shortly.
    > > It's undergoing review and final feature development right now. It uses
    > > jni and calls into gssrpc. A future version could be pure java, but
    > > that wasn't feasible right off.
    > >
    > > If you want a different java answer - opensolaris has a java library built
    > > into its source. It uses jni and calls into kadm5. Note CDDL licensing.
    > > Here's how to fetch a copy,
    > >
    > > do this,
    > > < find a filesystem with lots of space on a machine with mercurial >
    > > hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate
    > > then look here:
    > > onnv-gate/usr/src/OPENSOLARIS.LICENSE
    > > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.c
    > > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.java
    > > for more on solaris,
    > > http://opensolaris.org/os/project/onnv/
    > > You will probably have to work out your own build procedure.
    > >
    > > We didn't go with that for various reasons, but maybe it
    > > can meet your needs.
    > >
    > > -Marcus Watts
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    >
    > --
    > Greg Wallace
    > Co-Founder and CEO
    > Emu Software, Inc.
    > Sponsor of the NetDirector Open Management Console Project
    > www.netdirector.org
    > o: 617.830.1835
    > m: 919.247.3165
    > skype: gregwallaceemu
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Jos Backus
    jos at catnook.com

  7. Re: Provisioning and administrative tools for MIT KDC

    that's not a bad comparison, but I think (and this is how the guys
    presenting the project at FUDcon explained the difference) func is like
    puppet-lite (or, better, puppet really really really lite)

    for example - with puppet, you get revision control, not so with func, and
    this is just one example

    as to xmlrpc, I've got no insight on why func chose that or what its
    relative merits are...

    Greg


    On Mon, January 14, 2008 12:51 pm, Jos Backus wrote:
    > On Sun, Jan 13, 2008 at 05:59:07PM -0500, Greg Wallace wrote:
    >> Hi All,
    >>
    >> At the Fedora Users and Developer Conference yesterday they announced a
    >> new remote maagement project that might be interesting to people
    >> following
    >> this thread.
    >>
    >> You can find out more about it here: https://fedorahosted.org/func

    >
    > Interesting. It looks a lot like Puppet (which is moving away from
    > XMLRPC).
    >
    > http://http://reductivelabs.com/trac/puppet
    >
    > Jos
    >
    >> Best,
    >>
    >> Greg
    >>
    >> On Thu, January 10, 2008 10:59 pm, Marcus Watts wrote:
    >> > res@qoxp.net replied to Vincenzo.Carnuccio@valueteam.com:
    >> > ...
    >> >> CV> -Is there any API interface (java, c,any other language) to
    >> >> CV> perform administrative operations? (add a principal, change a
    >> >> CV> password, delete a principal)
    >> >>
    >> >>
    >> >> CV> We must perform automatic provisioning via a web application
    >> >> (jsp)
    >> >> CV> so it seems to be not a good solution using the kadmin

    >> command
    >> >> via
    >> >> CV> System Calls.
    >> >>
    >> >> CV> The KDC is the MIT's one
    >> >>
    >> >> http://search.cpan.org/~korty/Authen...-0.09/Admin.pm
    >> >>
    >> >> CV> Thank you in advance.
    >> >
    >> > The perl module is probably the best available at present.
    >> >
    >> > Recent versions of MIT kerberos should also export a C callable
    >> > api for kadm5. With older versions of MIT this was also possible,
    >> > but required extracting bits from built source for MIT k5.
    >> > If you feel like experimenting, this may help,
    >> > http://mailman.mit.edu/pipermail/krb...ch/005702.html
    >> >
    >> > There are also possibilities with java. I've got a java library
    >> > that will do this, which I hope to make generally available shortly.
    >> > It's undergoing review and final feature development right now. It

    >> uses
    >> > jni and calls into gssrpc. A future version could be pure java, but
    >> > that wasn't feasible right off.
    >> >
    >> > If you want a different java answer - opensolaris has a java library

    >> built
    >> > into its source. It uses jni and calls into kadm5. Note CDDL

    >> licensing.
    >> > Here's how to fetch a copy,
    >> >
    >> > do this,
    >> > < find a filesystem with lots of space on a machine with mercurial >
    >> > hg clone ssh://anon@hg.opensolaris.org/hg/onnv/onnv-gate
    >> > then look here:
    >> > onnv-gate/usr/src/OPENSOLARIS.LICENSE
    >> > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.c
    >> > onnv-gate/usr/src/cmd/krb5/kadmin/gui/native/Kadmin.java
    >> > for more on solaris,
    >> > http://opensolaris.org/os/project/onnv/
    >> > You will probably have to work out your own build procedure.
    >> >
    >> > We didn't go with that for various reasons, but maybe it
    >> > can meet your needs.
    >> >
    >> > -Marcus Watts
    >> > ________________________________________________
    >> > Kerberos mailing list Kerberos@mit.edu
    >> > https://mailman.mit.edu/mailman/listinfo/kerberos
    >> >

    >>
    >>
    >> --
    >> Greg Wallace
    >> Co-Founder and CEO
    >> Emu Software, Inc.
    >> Sponsor of the NetDirector Open Management Console Project
    >> www.netdirector.org
    >> o: 617.830.1835
    >> m: 919.247.3165
    >> skype: gregwallaceemu
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos

    >
    > --
    > Jos Backus
    > jos at catnook.com
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    --
    Greg Wallace
    Co-Founder and CEO
    Emu Software, Inc.
    Sponsor of the NetDirector Open Management Console Project
    www.netdirector.org
    o: 617.830.1835
    m: 919.247.3165
    skype: gregwallaceemu

  8. Re: Provisioning and administrative tools for MIT KDC

    "Greg Wallace" writes:

    > At the Fedora Users and Developer Conference yesterday they announced a
    > new remote maagement project that might be interesting to people
    > following this thread.
    >
    > You can find out more about it here: https://fedorahosted.org/func


    func a lot like remctl except with more access to the programming language
    and a different authentication strategy. It's yet another retread of a
    very old idea (going back at least to the old IBM sysctl that used
    Kerberos v4), also represented by CERN ARC and various other systems. (I
    think that both adm and Moira have some capabilities along these lines as
    well.)

    Our experience at Stanford was that we never actually needed to be able to
    embed programs into the server and the additional complexity of supporting
    that wasn't worth it, so remctl always runs an external program. This has
    worked quite well for us.

    remctl doesn't use any of the XML languages in part because dealing with
    the parsing libraries was too painful for the benefit gained in our
    opinion when we started the project. We wanted something with a
    lightweight server that didn't require dependencies on scripting languages
    since at the time we had a huge Solaris infrastructure. These days, with
    Linux being more common, the Python dependencies aren't as big of a deal.

    You can get remctl from .
    It's in widespread production use at Stanford.

    --
    Russ Allbery (rra@stanford.edu)

  9. Re: Provisioning and administrative tools for MIT KDC

    Hello,
    i work with Vincenzo Carnuccio.
    Now we have tried the Perl extension and it seems that it works fine.
    We are trying also with jni project on ONNV-gate.
    We will inform you about.

    Thank you!


    On 14 Gen, 21:33, Russ Allbery wrote:
    > "Greg Wallace" writes:
    > > At the Fedora Users and Developer Conference yesterday they announced a
    > > new remote maagement project that might be interesting to people
    > > following this thread.

    >
    > > You can find out more about it here: https://fedorahosted.org/func

    >
    > func a lot like remctl except with more access to the programming language
    > and a different authentication strategy. It's yet another retread of a
    > very old idea (going back at least to the old IBM sysctl that used
    > Kerberos v4), also represented by CERN ARC and various other systems. (I
    > think that both adm and Moira have some capabilities along these lines as
    > well.)
    >
    > Our experience at Stanford was that we never actually needed to be able to
    > embed programs into the server and the additional complexity of supporting
    > that wasn't worth it, so remctl always runs an external program. This has
    > worked quite well for us.
    >
    > remctl doesn't use any of the XML languages in part because dealing with
    > the parsing libraries was too painful for the benefit gained in our
    > opinion when we started the project. We wanted something with a
    > lightweight server that didn't require dependencies on scripting languages
    > since at the time we had a huge Solaris infrastructure. These days, with
    > Linux being more common, the Python dependencies aren't as big of a deal.
    >
    > You can get remctl from .
    > It's in widespread production use at Stanford.
    >
    > --
    > Russ Allbery (r...@stanford.edu)



  10. Re: Provisioning and administrative tools for MIT KDC

    Hi,
    once upon tested PERL we had experience some problem on involving CGI-
    PERL in order to manage Kerberos with PERL with a WEB APPLICATION.

    We want to know what do u think about involving JPL for calling perl
    (interface to kerberos) from JAVA (Web Application).

    According to you which is the better solution between CGI-BIN and
    JPL??

    Thanks in advance guys!!!

    Best regards,
    Andrea

    On 15 Gen, 09:48, Andrea wrote:
    > Hello,
    > i work with Vincenzo Carnuccio.
    > Now we have tried the Perl extension and it seems that it works fine.
    > We are trying also with jni project on ONNV-gate.
    > We will inform you about.
    >
    > Thank you!
    >
    > On 14 Gen, 21:33, Russ Allbery wrote:
    >
    > > "Greg Wallace" writes:
    > > > At the Fedora Users and Developer Conference yesterday they announced a
    > > > new remote maagement project that might be interesting to people
    > > > following this thread.

    >
    > > > You can find out more about it here: https://fedorahosted.org/func

    >
    > > func a lot like remctl except with more access to the programming language
    > > and a different authentication strategy. It's yet another retread of a
    > > very old idea (going back at least to the old IBM sysctl that used
    > > Kerberos v4), also represented by CERN ARC and various other systems. (I
    > > think that both adm and Moira have some capabilities along these lines as
    > > well.)

    >
    > > Our experience at Stanford was that we never actually needed to be able to
    > > embed programs into the server and the additional complexity of supporting
    > > that wasn't worth it, so remctl always runs an external program. This has
    > > worked quite well for us.

    >
    > > remctl doesn't use any of the XML languages in part because dealing with
    > > the parsing libraries was too painful for the benefit gained in our
    > > opinion when we started the project. We wanted something with a
    > > lightweight server that didn't require dependencies on scripting languages
    > > since at the time we had a huge Solaris infrastructure. These days, with
    > > Linux being more common, the Python dependencies aren't as big of a deal.

    >
    > > You can get remctl from .
    > > It's in widespread production use at Stanford.

    >
    > > --
    > > Russ Allbery (r...@stanford.edu)



+ Reply to Thread