<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE type=text/css>BODY {
        MARGIN: 4px 4px 1px; LINE-HEIGHT: normal; FONT-VARIANT: normal
}
</STYLE>
<META content="MSHTML 6.00.2900.2604" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=505171315-18052005>I would concur with
Leif's comments. </SPAN><SPAN class=505171315-18052005>I also have a
couple observations.</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=505171315-18052005></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=505171315-18052005>Should a KDC schema be
defining a password and account security policy? Or should one of the many
policies already defined be leveraged? I have usability concerns when it
comes to storing multiple policy syntaxes in the a directory server, one that
integrates authentication for both LDAP-enabled and Kerberos-enabled
applications.</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=505171315-18052005></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=505171315-18052005>Also, the information
model for a Kerberos principle is similar (though more restricted) to that of
the "uid" attribute. Is yet another identity descriptor a good
thing?</SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=505171315-18052005></SPAN> </DIV><SPAN
class=505171315-18052005></SPAN>Bob<SPAN class=505171315-18052005></SPAN><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> kdc-schema-bounces@mit.edu
[mailto:kdc-schema-bounces@mit.edu] <B>On Behalf Of </B>Rajasekaran
Nagarajan<BR><B>Sent:</B> Monday, May 16, 2005 8:49 PM<BR><B>To:</B>
kdc-info@mit.edu; kdc-schema@mit.edu<BR><B>Subject:</B> [kdc-schema]
Preliminary draft of LDAP Kerberos schema<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>
<DIV>
<DIV>Attached is a preliminary draft of LDAP Kerberos schema.
</DIV></DIV></DIV>
<DIV>
<DIV>
<DIV>
</DIV></DIV></DIV>
<DIV>
<DIV>
<DIV>Please, provide your comments on this, so that it can be refined to be
generic enough for catering to the needs of different Kerberos distributions.
</DIV></DIV></DIV>
<DIV>
<DIV>
<DIV>
</DIV></DIV></DIV>
<DIV>
<DIV>
<DIV>- Raj </DIV></DIV></DIV></BLOCKQUOTE></BODY></HTML>