lukasmatusiewicz on master
Added Turkish translate Merge pull request #150 from sa… (compare)
pablo-knight on v3.2dev4
pablo-knight on master
Update requirements.txt (compare)
nilsbehlen on v3.2
nilsbehlen on master
Update Changelog.md (compare)
nilsbehlen on master
update installer, fix offline … Update RegistryReader.cpp Update Configuration.cpp and 3 more (compare)
So, I took a stab at augmenting the Kerberos resolver example branch. I currently have it working by combining that branch with the 2.17-1xenial version of the packages available on Ubuntu and changes contributed by gfa...@soundhound.com in this thread:
https://groups.google.com/forum/#!msg/privacyidea/zr2wepesUnU/kWXYHyPtPQAJ
I then took the liberty of extending the getResolverClassDescriptor for the Kerberos Resolver allowing the ability to specify the principal to use.
The magic sauce that makes all of this work is adding an env = KRB5_KTNAME=<keytab file> param to uwsgi. In this way, this app can verify creds directly against kerberos while using its own service principal that is specifiable. All while being run in tyrant mode with least privilege. This at the very least is a point for documentation.
Is this work useful? If so, where should it go?
@cornelinux , I do not have notifications turned on. Apologies for the rather delayed response.
Kerberos use will be rather rare; no arguments. The difficulty rating for kerberos is a personal opinion, it isn't much harder then ldap once one understands how it works.
The reason the work I was talking about is useful (to me) is that it allows me to assign a kerberos principle to the otp service itself. So, when cred validation occurs, the service, using its principle, talks to kerberos. In this way, all the handshaking that occurs within a kerberos transaction succeeds and validation can proceed.
The kerberos resolver extends the ldap resolver. Cannot use one without the other in this case. It is not an either or scenario.
I have no problem keeping this to myself and my own installation. There have been a couple people now looking for such functionality and it took quite awhile tracking down the various attempts and extending them into this. Thought I would contribute back if you wanted it,