[Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema
Neal-Joslin, Robert (HP-UX Lab R&D)
bob.joslin at hp.com
Thu May 19 12:16:36 EDT 2005
> > Also, the information model for a Kerberos principle is
> similar (though
> > more restricted) to that of the "uid" attribute. Is yet another
> > identity descriptor a good thing?
>
> Yes I believe it is and this is what (again imo) what
> directory admini-
> strators do - create multiple unique identifiers in the
> directory which
> enables inter-namespace mapping. On the other hand I don't think this
> schema is successfull in that respect or even faithfully
> represents the
> way identities and aliases are handled in kerberos.
I agree. But I would comment that I don't think mapping is a preferred
solution to a unified name space...
Just an FYI, I'm working through some final schema changes in an
informational draft (draft-joslin-config-schema-11.txt) that defines how
a DUA could use a mapping configuration to help minimize mapping in the
directory itself. For example, if a deployment already uses uid and
it's usage is compatible with a principle syntax, the KDC (as the DUA)
could be configured to use the uid attribute instead of the krbPrinciple
attribute. It's even possible to combine attributes, such as domain and
uid to build a krbPrinciple dynamically.
Bob
More information about the kdc-info
mailing list