All, Ok. Got the message. Sounds like Kerberos with LDAP is the way to go until some better combo comes along. I don't suppose anyone knows of a JAAS spi out there that combines these two into one interface for Java JAAS security clients?
Thanks everyone Bart "bart.w.jenkins" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > All, > I would love to use MIT's Kerberos, but it looks as though it can NOT do > Role Based Access Control (RBAC) out of the box. It seems that MIT's > Kerberos stores only principals and knows nothing about any roles those > principals might or might not have. For any particular user, I would love > to be able to attach a list of roles that person plays. For example, for > user Joe, I need to be able to say that principal Joe has roles: Admin, > Superuser or Manager or Supervisor, or Team1Leader etc. Then, when Joe > authenticates to the KDC, if both the principal (what Java JAAS calls the > subject) could also return a list of roles (JAAS principals), I could then > do RBAC. Microsoft had to add some separate user-to-role database that is > consulted when user's authenticate in their Active Directory realm. I would > like to not have to do this. Does anyone know of a Kerberos implementation > that does RBAC and, BTW, works with Sun's JAAS (Java security)? > > I could just have user Kerberos principals and Role principals, but then > when someone logged in with a Role user id, I would not know who the > underlying user was. It seems that adding some Role attributes to the kerb > principal would help alot here. > > Thanks > > Bart > > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
