Diagram needed to explain gssapi mess
Hi,
Has anyone ever seen a diagram which simply explains how this load of**** all works?
I'm trying to get stuck into GSSAPI/SASL/KERBEROS/LDAP and it seems theres some kind of conspiracy out there to stop anyone from getting to grips with it all. All I can gather is that you have a security implementation which implements GSSAPI but that implements SASL but you don't have to?!?!?!?!? When is it going to end? Reading RFC's is worse than sticking your head in a blender and no one seems to be able to give a decent explaination of how it fits together, they just say install it and off you go. In fact, I think I might need to stick my head in a blender to get all the **** ouy my head, either that or get an uzi and dish out some punishment to the idiots who keep regurgitating everything.
Please someone, explain in real, simple, proper terms how it fits together, preferably a real nice diagram.
Mister Agitated.
Hey Mister,
It's hilarious isn't it - I've described it all as a painful inside joke.
I was going to post you a link to a PDF of Java Security I once read, but since finding it again it doesn't seem to work; ha, there's a some evidence to the conspiracy theory!
GSS is a standard 'hand-shaking' protocol. It is designed within the PAM paradigm, that is you can plug authentication modules in to it. Check this; the available modules (to my knowledge) are:
(1) Kerberos
(2) ... yeah, this is where I started laughing out of desperation.
So this lead me to think understanding GSS depends on your understanding of Keberos, as the only mechanism I had access to... deeper into the rabbit hole!... where the real joke is [not Kerberos itself]; could I ever get a worse a feeling of 'that subject is beyond the scope of this subject....' blah blah blah, they're the same frickin subject man!
Check this link for some perspective in a Windows context - it's more of a jargon buster but the Windows context always adds a layer of bullshit for me : http://www.mcmcse.com/win2k/guides/kerberos.shtml
[move... away... from... the... blender]
Anyway, after sifting through the copius amounts of **** Google chucked at me [not a knock to Google], I realised you need to have access to a kerberos server [ha, realising there was a server involved - ignorance, who said it was bliss] and accompanying support technologies; if you don't and aren't prepared to deploy said technologies, then you're screwed - well, (J)GSS in this situation is useless.
I'm not familiar with SASL (or any of the rest of it for that matter, ha), but the way you've made reference to it suggest it is an alterantive plugin-module. Anyone?
LDAP pops up in so many different situations it's hard to stay clear on its purpose, although I'm sure it's just a directory service. I guess in the security context, it is a restricted resource and its authentication mechanism can be utilised and extended to protect client-systems too, perhaps even clients that otherwise have no interest in it.
My best guess is that this stuff is targeted at people who have had a professional education in this, security, field and with that they can hit the ground running, knowing all about the technologies and various acronyms.
I've gone through the pain barrier on this one some months ago trying to re-implement the Java Policy for dynamic/run-time permissions and JAAS integration. I thought to use JGSS in the client-server system but as described above found 'Kerberos' guarding its secrets [... poor, I know].
Advice, meditate; close your eyes and imagine a room full of ming vases, china wear and grand chandeliers... go into it.... with a baseball-bat... and smash it all to ****!
It works for me.
Mister Repressed
ps. waht is it you are attempting to do anyway; if you have a specific problem/project-task then please elaborate. D
Hey Bishop,
Cheers for your repsonse. The only way to approach this bedlam seems to be with a smile on your face and a drip in your arm, whats in the drip you choose!
As my company needs a java LDAP server to ship with our product I turned my head to Apache Directory Service. Its up and coming but still in the very early stages, they only support simple authentication. Our product uses kerberos to authenticate. So, for a laugh (who's laughing now? not me) I decided to see if I couldn't contribute a GSS api implementation. Unfortunately the ApacheDS being in its infancy also has doc's at the same level (actually, less than that) so I'm tryrng to get my head round this real low level stuff.
It would appear no one actually properly understands how it all gel's as everyone relays a different description on how it works. So, what I'm after is a diagram preferably which shows everything in its place to help visualise the tangled mess.
FYI from my dealings with openLDAP and cyrus SASL I believe SASL to be nothing more than yet another interface. When you build it you link in all your libraries (GSS, MD5, SHA1, etc.) then when a client tries to connect to LDAP it responds with the list of mechanisms available and the client selects the best one it knows of. Or something like that, the cyrus SASL site is a little lacking.
I've calmed down since yesterday so I think I'll just grab a coffee and read a book.
Mister feeling-better.
