<html>
<head>
<style type="text/css">
<!--
body { line-height: normal; font-variant: normal; margin-left: 4px; margin-bottom: 1px; margin-right: 4px; margin-top: 4px }
-->
</style>
</head>
<body style="margin-left: 4px; margin-bottom: 1px; margin-right: 4px; margin-top: 4px">
<DIV> There may be two configurations for Kerberos passwords.
</DIV>
<DIV>1) Kerberos password and the LDAP user password are the same. In this case, LDAP password policy can be used.
</DIV>
<DIV>2) Kerberos password is different from LDAP user password. Here, Kerberos password policy can be used.
</DIV>
<DIV> </DIV>
<DIV>This is why we have krbPwdPolicy defined.
</DIV>
<DIV> </DIV>
<DIV>As Leif had asked for, i shall comment on how the schema fits into the information model.
</DIV>
<DIV> </DIV>
<DIV>Thanx...
</DIV>
<DIV>Regards - Raj<br><br>>>>Leif Johansson <leifj@it.su.se> 05/19/05 8:19 am >>><br>Neal-Joslin, Robert (HP-UX Lab R&D) wrote:<br>>I would concur with Leif's comments.  I also have a couple observations.<br>> <br>>Should a KDC schema be defining a password and account security policy? <br><br>No absolutely not (imo). There is already well established schema and<br>even extensions in ldap space for doing this. If the requirements of<br>kerberos or a particular kdc is incompatible with the (for good and<br>bad) established ldap standard then vendor extensions to the base<br>schema is the way to go.<br><br>The information model contains a policy extension framework which can<br>be used to model password policy etc.<br><br>>Or should one of the many policies already defined be leveraged?  I have<br>>usability concerns when it comes to storing multiple policy syntaxes in<br>>the a directory server, one that integrates authentication for both<br>>LDAP-enabled and Kerberos-enabled applications.<br>> <br>>Also, the information model for a Kerberos principle is similar (though<br>>more restricted) to that of the "uid" attribute.  Is yet another<br>>identity descriptor a good thing?<br><br>Yes I believe it is and this is what (again imo) what directory admini-<br>strators do - create multiple unique identifiers in the directory which<br>enables inter-namespace mapping. On the other hand I don't think this<br>schema is successfull in that respect or even faithfully represents the<br>way identities and aliases are handled in kerberos.<br><br>This is the reason why the schema has to be evaluated against the model.<br><br>Cheers Leif<br> </DIV>
</body>
</html>