Kerberized authorization service
I'm still looking at ways to implement central user authorization management.
An idea I'm currently playing with is a simple Kerberized client-server
authorization application. I'm hoping that as far as the Kerberos side is
concerned, I'll be able to cobble this together from existing bits and pieces
and that all that is needed is some integration glue.
>From the server's point of view, things would work as follows:[/color]
- accepts some client-generated request (containing service,
principal/username, hostname, etc.) over TCP;
- sends this data to a backend application;
- receives the response ('authorized' or 'not authorized') from the backend;
- relays the response to the client.
The client is called by pam_exec from the account group, so it has access to
the username; the realm could be supplied on the command line. The client
could try multiple authorization servers to ensure availability.
The backend application could simply query a database which is maintained by
another application (presumably with an easy to use web frontend).
Thoughts? Would I be better off using GSSAPI instead?
jos at catnook.com