You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Aleksander Adamowski <ap...@olo.org.pl> on 2012/05/06 19:56:59 UTC
Implementing Kerberos on top of LDAP extended operations - contd.
Hi!
Resurrecting the old thread about integrating Kerberos with LDAP (
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
), I'd like to share my recent progress in pursuing this idea.
As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
subject of my master's thesis, I've made a proof of concept
implementation that demonstrates the idea in a working form. I've also
given a nice short name to the resulting combined protocol - KrbLDAP.
The thesis (available at
https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
) presents the rationale behind my proposal and describes a proof of
concept implementation (whose code I've made available on Github:
https://github.com/aadamowski ). More information in my aforementioned
blog post.
During work on this, as a side effect, I've discovered several
interoperability issues between MIT libkrb5 client and Apache DS's KDC
implementation.
While several issues still remain, some of them have already been
addressed in the process (without it I wouldn't even be able to
progress beyond initial message in the Kerberos exchange), e.g.:
http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687
I suppose that once the interoperability between MIT krb5 and Apache
DS gets better, my proof of concept test will result in successful
Kerberos ticket obtainment over KrbLDAP without any needed
modifications in its code.
Waiting anxiously for your feedback and constructive criticism,
--
Best Regards,
Aleksander Adamowski
http://olo.org.pl
Re: Implementing Kerberos on top of LDAP extended operations - contd.
Posted by Pierre-Arnaud Marcelot <pa...@marcelot.net>.
Hi Aleksander,
On 8 mai 2012, at 23:26, Aleksander Adamowski wrote:
> On Sun, May 6, 2012 at 10:59 PM, Alex Karasulu <ak...@apache.org> wrote:
>> I looked at your workarounds for some of the issues. It's obvious from
>> your knowledge and how you solved the padata issue that you're more
>> than competent with our code base as well as LDAP & Kerberos
>> protocols. I highly advise contributing to the project here to make
>> your KrbLDAP protocol more accessible here at Apache Directory.
>
> That would be great.
> However, I cannot guarantee any concrete degree of involvement on my
> part as I have a day job and a family to take care of :)
This is not an issue at all. Most people within the Apache Software Foundation are volunteers and only a few are paid by their employers to work on the projects.
This isn't an obligation, but mostly for fun. :)
> How do I sign up for an SVN account?
Actually, there's no sign up per se.
The Apache Software Foundation is based on "Meritocracy" and project members elect new candidates.
There are more information available here [1] and there [2].
The recommended way for you is to propose your modifications on our issue tracking system [3].
> And BTW, are there plans to migrate from SVN to Git? That would
> simplify some things a lot…
A few projects at the ASF are currently experimenting Git.
It isn't widely available yet, but I guess it's just a matter of months now.
Regards,
Pierre-Arnaud
[1] - http://apache.org/foundation/faq.html#joining
[2] - http://apache.org/foundation/how-it-works.html
[3] - https://issues.apache.org/jira/browse/DIRSERVER
> --
> Best Regards,
> Aleksander Adamowski
> http://olo.org.pl
Re: Implementing Kerberos on top of LDAP extended operations - contd.
Posted by Aleksander Adamowski <al...@olo.org.pl>.
On Sun, May 6, 2012 at 10:59 PM, Alex Karasulu <ak...@apache.org> wrote:
> I looked at your workarounds for some of the issues. It's obvious from
> your knowledge and how you solved the padata issue that you're more
> than competent with our code base as well as LDAP & Kerberos
> protocols. I highly advise contributing to the project here to make
> your KrbLDAP protocol more accessible here at Apache Directory.
That would be great.
However, I cannot guarantee any concrete degree of involvement on my
part as I have a day job and a family to take care of :)
How do I sign up for an SVN account?
And BTW, are there plans to migrate from SVN to Git? That would
simplify some things a lot...
--
Best Regards,
Aleksander Adamowski
http://olo.org.pl
Re: Implementing Kerberos on top of LDAP extended operations - contd.
Posted by Alex Karasulu <ak...@apache.org>.
On Sun, May 6, 2012 at 8:56 PM, Aleksander Adamowski
<ap...@olo.org.pl> wrote:
> Hi!
>
> Resurrecting the old thread about integrating Kerberos with LDAP (
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
> ), I'd like to share my recent progress in pursuing this idea.
>
> As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
> subject of my master's thesis, I've made a proof of concept
> implementation that demonstrates the idea in a working form. I've also
> given a nice short name to the resulting combined protocol - KrbLDAP.
Nice work. I went through your thesis as well.
> The thesis (available at
> https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
> ) presents the rationale behind my proposal and describes a proof of
> concept implementation (whose code I've made available on Github:
> https://github.com/aadamowski ). More information in my aforementioned
> blog post.
>
> During work on this, as a side effect, I've discovered several
> interoperability issues between MIT libkrb5 client and Apache DS's KDC
> implementation.
I looked at your workarounds for some of the issues. It's obvious from
your knowledge and how you solved the padata issue that you're more
than competent with our code base as well as LDAP & Kerberos
protocols. I highly advise contributing to the project here to make
your KrbLDAP protocol more accessible here at Apache Directory.
> While several issues still remain, some of them have already been
> addressed in the process (without it I wouldn't even be able to
> progress beyond initial message in the Kerberos exchange), e.g.:
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687
>
> I suppose that once the interoperability between MIT krb5 and Apache
> DS gets better, my proof of concept test will result in successful
> Kerberos ticket obtainment over KrbLDAP without any needed
> modifications in its code.
>
> Waiting anxiously for your feedback and constructive criticism,
> --
> Best Regards,
> Aleksander Adamowski
> http://olo.org.pl
--
Best Regards,
-- Alex
Re: Implementing Kerberos on top of LDAP extended operations - contd.
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 5/6/12 7:56 PM, Aleksander Adamowski a écrit :
> Hi!
>
> Resurrecting the old thread about integrating Kerberos with LDAP (
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/24181
> ), I'd like to share my recent progress in pursuing this idea.
Good !
>
> As I wrote in my blog ( http://olo.org.pl/dr/krbldap_thesis ), as a
> subject of my master's thesis, I've made a proof of concept
> implementation that demonstrates the idea in a working form. I've also
> given a nice short name to the resulting combined protocol - KrbLDAP.
Barely possible to pronounce, but still, sounds good :)
>
> The thesis (available at
> https://olo.org.pl/files/masters_thesis/Praca_Magisterska-Aleksander_Adamowski-A_new_secure_authentication_concept.pdf
> ) presents the rationale behind my proposal and describes a proof of
> concept implementation (whose code I've made available on Github:
> https://github.com/aadamowski ). More information in my aforementioned
> blog post.
I'll read this paper asap...
>
> During work on this, as a side effect, I've discovered several
> interoperability issues between MIT libkrb5 client and Apache DS's KDC
> implementation.
ApacheDS implem is far from being perfect ! I'd say that since 2007, we
have not worked a lot on it as we had to work full steam on the server
itself.
>
> While several issues still remain, some of them have already been
> addressed in the process (without it I wouldn't even be able to
> progress beyond initial message in the Kerberos exchange), e.g.:
> http://thread.gmane.org/gmane.comp.apache.incubator.directory.devel/35632/focus=35687
Yeah, Kiran was very helpful here...
>
> I suppose that once the interoperability between MIT krb5 and Apache
> DS gets better, my proof of concept test will result in successful
> Kerberos ticket obtainment over KrbLDAP without any needed
> modifications in its code.
>
> Waiting anxiously for your feedback and constructive criticism,
The best here would be for you to jump in the band wagon ! If you are
interested in participating in the Kerberos effort, we can be helping
you to understand how the current code is working. IMO, that woud be the
best possible solution, as we have a little knowledge about Kerberos
(except when it comes to encode/decode the messages, and a few more
things aside), but at least, we know how the server is implemented.
It's not that complex to become a contributor ! And we would really
value some contributor who has a deep knowledge on Kerberos :) All in
all, providing a few patches that makes the server better is the best
way to get in !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com