From rnagarajan at novell.com Mon May 16 23:48:42 2005 From: rnagarajan at novell.com (Rajasekaran Nagarajan) Date: Mon, 16 May 2005 21:48:42 -0600 Subject: [Kdc-info] Preliminary draft of LDAP Kerberos schema Message-ID: Attached is a preliminary draft of LDAP Kerberos schema. Please, provide your comments on this, so that it can be refined to be generic enough for catering to the needs of different Kerberos distributions. - Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/kdc-info/attachments/20050516/de9e8688/attachment.htm -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: draft-rajasekaran-kerberos-schema-00.txt Url: http://mailman.mit.edu/pipermail/kdc-info/attachments/20050516/de9e8688/attachment.txt From leifj at it.su.se Wed May 18 03:11:37 2005 From: leifj at it.su.se (Leif Johansson) Date: Wed, 18 May 2005 09:11:37 +0200 Subject: [Kdc-info] Preliminary draft of LDAP Kerberos schema In-Reply-To: References: Message-ID: <428AEAA9.8060308@it.su.se> Rajasekaran Nagarajan wrote: > > Attached is a preliminary draft of LDAP Kerberos schema. > > Please, provide your comments on this, so that it can be refined to be > generic enough for catering to the needs of different Kerberos > distributions. > > - Raj > > Hi Raj, The krb-wg reached consensus some time ago to finialize an abstract information model for kerberos and design a schema working from that model. I have attached the latest version of the model. Can you comment on how your schema fits into this model? Cheers Leif -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: draft-johansson-kerberos-model-01.txt Url: http://mailman.mit.edu/pipermail/kdc-info/attachments/20050518/c3358871/attachment.txt From bob.joslin at hp.com Wed May 18 12:18:41 2005 From: bob.joslin at hp.com (Neal-Joslin, Robert (HP-UX Lab R&D)) Date: Wed, 18 May 2005 09:18:41 -0700 Subject: [Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema Message-ID: <632116003944094FB495E72A6EDB90B2012EC9B5@cacexc10.americas.cpqcorp.net> I would concur with Leif's comments. I also have a couple observations. Should a KDC schema be defining a password and account security policy? Or should one of the many policies already defined be leveraged? I have usability concerns when it comes to storing multiple policy syntaxes in the a directory server, one that integrates authentication for both LDAP-enabled and Kerberos-enabled applications. Also, the information model for a Kerberos principle is similar (though more restricted) to that of the "uid" attribute. Is yet another identity descriptor a good thing? Bob ________________________________ From: kdc-schema-bounces at mit.edu [mailto:kdc-schema-bounces at mit.edu] On Behalf Of Rajasekaran Nagarajan Sent: Monday, May 16, 2005 8:49 PM To: kdc-info at mit.edu; kdc-schema at mit.edu Subject: [kdc-schema] Preliminary draft of LDAP Kerberos schema Attached is a preliminary draft of LDAP Kerberos schema. Please, provide your comments on this, so that it can be refined to be generic enough for catering to the needs of different Kerberos distributions. - Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/kdc-info/attachments/20050518/86485dcb/attachment.htm From leifj at it.su.se Thu May 19 04:19:38 2005 From: leifj at it.su.se (Leif Johansson) Date: Thu, 19 May 2005 10:19:38 +0200 Subject: [Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema In-Reply-To: <632116003944094FB495E72A6EDB90B2012EC9B5@cacexc10.americas.cpqcorp.net> References: <632116003944094FB495E72A6EDB90B2012EC9B5@cacexc10.americas.cpqcorp.net> Message-ID: <428C4C1A.7000809@it.su.se> Neal-Joslin, Robert (HP-UX Lab R&D) wrote: > I would concur with Leif's comments. I also have a couple observations. > > Should a KDC schema be defining a password and account security policy? No absolutely not (imo). There is already well established schema and even extensions in ldap space for doing this. If the requirements of kerberos or a particular kdc is incompatible with the (for good and bad) established ldap standard then vendor extensions to the base schema is the way to go. The information model contains a policy extension framework which can be used to model password policy etc. > Or should one of the many policies already defined be leveraged? I have > usability concerns when it comes to storing multiple policy syntaxes in > the a directory server, one that integrates authentication for both > LDAP-enabled and Kerberos-enabled applications. > > Also, the information model for a Kerberos principle is similar (though > more restricted) to that of the "uid" attribute. Is yet another > identity descriptor a good thing? Yes I believe it is and this is what (again imo) what directory admini- strators do - create multiple unique identifiers in the directory which enables inter-namespace mapping. On the other hand I don't think this schema is successfull in that respect or even faithfully represents the way identities and aliases are handled in kerberos. This is the reason why the schema has to be evaluated against the model. Cheers Leif From bob.joslin at hp.com Thu May 19 12:16:36 2005 From: bob.joslin at hp.com (Neal-Joslin, Robert (HP-UX Lab R&D)) Date: Thu, 19 May 2005 09:16:36 -0700 Subject: [Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema Message-ID: <632116003944094FB495E72A6EDB90B2012ECCB9@cacexc10.americas.cpqcorp.net> > > Also, the information model for a Kerberos principle is > similar (though > > more restricted) to that of the "uid" attribute. Is yet another > > identity descriptor a good thing? > > Yes I believe it is and this is what (again imo) what > directory admini- > strators do - create multiple unique identifiers in the > directory which > enables inter-namespace mapping. On the other hand I don't think this > schema is successfull in that respect or even faithfully > represents the > way identities and aliases are handled in kerberos. I agree. But I would comment that I don't think mapping is a preferred solution to a unified name space... Just an FYI, I'm working through some final schema changes in an informational draft (draft-joslin-config-schema-11.txt) that defines how a DUA could use a mapping configuration to help minimize mapping in the directory itself. For example, if a deployment already uses uid and it's usage is compatible with a principle syntax, the KDC (as the DUA) could be configured to use the uid attribute instead of the krbPrinciple attribute. It's even possible to combine attributes, such as domain and uid to build a krbPrinciple dynamically. Bob