On Wed, Oct 03, 2007 at 12:29:00AM +0100, Simon Wilkinson wrote:
>
> >Does anyone have any mods to use LDAP to store the auth_to_local
> >database?

>
> Somewhere or another I've got patches allowing this to be deferred to a
> daemon that's contacted through a Unix socket (library provides principal
> and username, dameon says yes or no). I never really got past prototyping
> this as a proof of concept, and we've never got round to using it in
> production, but I can dig out the code if anyone is interested. In the case
> you're discussing it would allow the LDAP lookups to be performed
> 'out-of-process'.


This sounds interesting. In the solution I am envisioning, this daemon would
take the hostname, principal and username and return whether the mapping is
valid or not, i.e. whether that principal can log into that user@hostname.
This then would somehow end up back in the app through krb5_kuserok().

(Btw, it sounds like this could also be implemented using a centralized
authorization server.)

Am I understanding correctly?

Thanks,
--
Jos Backus
jos at catnook.com