[Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema

Leif Johansson leifj at it.su.se
Thu May 19 04:19:38 EDT 2005


Neal-Joslin, Robert (HP-UX Lab R&D) wrote:
> I would concur with Leif's comments.  I also have a couple observations.
>  
> Should a KDC schema be defining a password and account security policy?  

No absolutely not (imo). There is already well established schema and
even extensions in ldap space for doing this. If the requirements of
kerberos or a particular kdc is incompatible with the (for good and
bad) established ldap standard then vendor extensions to the base
schema is the way to go.

The information model contains a policy extension framework which can
be used to model password policy etc.

> Or should one of the many policies already defined be leveraged?  I have 
> usability concerns when it comes to storing multiple policy syntaxes in 
> the a directory server, one that integrates authentication for both 
> LDAP-enabled and Kerberos-enabled applications.
>  
> Also, the information model for a Kerberos principle is similar (though 
> more restricted) to that of the "uid" attribute.  Is yet another 
> identity descriptor a good thing?

Yes I believe it is and this is what (again imo) what directory admini-
strators do - create multiple unique identifiers in the directory which
enables inter-namespace mapping. On the other hand I don't think this
schema is successfull in that respect or even faithfully represents the
way identities and aliases are handled in kerberos.

This is the reason why the schema has to be evaluated against the model.

	Cheers Leif


More information about the kdc-schema mailing list