On 04/14/2011 03:51 PM, Linus Nordberg wrote:
Fredrik Thulin <fredrik(a)yubico.com> wrote
Thu, 14 Apr 2011 21:25:24 +0200:
| On Thu, Apr 14, 2011 at 9:00 PM, Sumit Bose <sbose(a)redhat.com> wrote:
| ...
| > Yes, you can also find it in the MIT source in
| > src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema. The krbExtraData
| > attributre is used to store the Yubikey token id for the principal. It
| > is encoded so not easy to edit. I will add a utility to the rpm and web
| > site to make this easy.
|
| I ran into the same dilemma when implementing a MultiFactor
| authentication handler for Shibboleth. Ended up mapping usernames <->
| YubiKey public id's in a plain text file as a proof of concept only.
That's what I'll end up doing if this shows to be a too inconvenient way
of configuring various principal attributes. For testing stuff.
But let me first understand how krbExtraData ends up in
krb5_db_entry->tl_data. From populate_krb5_db_entry()
[plugins/kdb/ldap/libkdb_ldap/ldap_misc.c] it looks like it's a sequence
of BER encoded TLV's. If so, I should probably just find out how to
craft these in a reasonably convenient way.
_______________________________________________
authhub-devel mailing list
authhub-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/authhub-devel
I suggest we split the actual data representation in LDAP schema or
whatever back end is used from the data model and information needed by
the plugin(s) to do the work. The ID is just one piece of the puzzle.
IMO in a generic case there should be an attribute of the account that
would dictate what kind of the external authentication is required for
such account and then depending on the type of the external
authentication a blob of data that defines method specific properties
like a Yubikey ID in Yubikey case. It can have other information two.
This info will me method specific and processed by the vendor plugin.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/