Kerberos 5, LDAP, and Time-of-Day Constraints?

Posted by ryuzaki0 on Wednesday March 15, 2006 @11:40AM from the enhancing-schema dept.

David asks: "I've come across a need for a single sign-on solution needing the ticket services of KRB5 and the backend store of LDAP for an enterprise system involving multiple operating systems. KRB and LDAP are required components. In short the solution needs to authenticate users and authorize host/group/client services such as SSH based on time-of-day/day-of-week schedule. With PAM, time-of-day is easily arranged in a flat file: /etc/security/time.conf using pam_time.so. Unfortunately, this is a single host-based answer, and the complex collection of systems in use means this isn't feasible. It's certainly easy to extend a KRB5 schema for LDAP to store this information, but I haven't found any place that utilizes such a setup. In contrast, this is found on Microsoft but that isn't a solution we're willing to engage. So the question is, are there any resources available where this feature of pam_time.so is pushed into the Kerberos/LDAP interaction or do I need another layer dictating authorization values to KRB?"

1 of 34 comments (clear)

Min score:

Reason:

Sort:

Don't turn down a good solution out of pride... by pla · 2006-03-15 14:29 · Score: 2, Funny

In contrast, this is found on Microsoft but that isn't a solution we're willing to engage.

"willing to engage"?

Take a course on management-speak recently? ;-)

Anyway... You can use a Microsoft KDC without bothering with the rest of the AD overhead (at least not on any other machines). If you just don't want to commit yourself to implementing a full domain with AD, you can do just the one Windows server and the rest your 'nix of choice.

That will satisfy all your target constraints except for actualizing your non microsofterian design paradigm, while still leveraging your market share of intellectual property and maximizing your focal penetration.

Hmm... Okay, ignore that last bit. Past my bedtime.