[PATCH 0/3 v2] PolicyKit - Add Shadow authorisation framework
David Zeuthen
david at fubar.dk
Sun Dec 16 18:54:13 PST 2007
On Sat, 2007-12-08 at 16:37 +0100, Diego González wrote:
> Hi,
>
> has this authentication/autorization framework been thought to work
> with Kerberos as authentication backend and LDAP as the authorization
> Database?
>
> Also i was wondering if Polkit's policies are thought to live in a
> central database, something like an LDAP server so that they can be
> shared in large deplyments.
Yes and yes.
- Kerberos authentication already works via the PAM module pam_krb5
or similar.
- I'm working closely with the FreeIPA [1] team at Red Hat to use a
directory server (such as the RH or Fedora Directory servers) as a
backend for storing and managing authorizations. Haven't done a
lot of stuff yet; dunno what public list it's going to be discussed
on; will follow up on this list when there are more concrete plans.
Anyway, the latter is a lot more complex than just "using LDAP"; you
need to handle things like offline mode, notifications, local caching,
expiration etc. Lots of work! Fortunately the exact same problems needs
to be solved for other services than authorization (authentication,
settings, audit etc.) and people are already worked on those. So I hope
to just plug it into FreeIPA and profit.
Also, part of this is to manage authorizations for groups of users and
to use the kerberos principal (e.g. DAVIDZ at REDHAT.COM) as the key
instead of the uid (e.g. 500) .. some work which which is already
mentioned in the TODO list [2].
Hope this clarifies.
David
[1] : http://freeipa.org/page/Main_Page
[2] :
http://gitweb.freedesktop.org/?p=PolicyKit.git;a=blob;h=fd5118014c4f4bebefdf20622530cd8e7c6ba9a8;hb=b5e019d783af8651db8e962c47b39942677ca6fd;f=doc/TODO
>
> Thank you very much,
> Diego
> _______________________________________________
> hal mailing list
> hal at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/hal
More information about the hal
mailing list