[Kdc-info] RE: [kdc-schema] Preliminary draft of LDAP Kerberos schema

Rajasekaran Nagarajan rnagarajan at novell.com
Thu May 19 10:29:21 EDT 2005 

There may be two configurations for Kerberos passwords. 
1) Kerberos password and the LDAP user password are the same. In this
case, LDAP password policy can be used. 
2) Kerberos password is different from LDAP user password. Here,
Kerberos password policy can be used. 
 
This is why we have krbPwdPolicy defined. 
 
As Leif had asked for, i shall comment on how the schema fits into the
information model. 
 
Thanx... 
Regards - Raj

>>>Leif Johansson <leifj at it.su.se> 05/19/05 8:19 am >>>
Neal-Joslin, Robert (HP-UX Lab R&D) wrote:
>I would concur with Leif's comments.  I also have a couple
observations.
> 
>Should a KDC schema be defining a password and account security policy?


No absolutely not (imo). There is already well established schema and
even extensions in ldap space for doing this. If the requirements of
kerberos or a particular kdc is incompatible with the (for good and
bad) established ldap standard then vendor extensions to the base
schema is the way to go.

The information model contains a policy extension framework which can
be used to model password policy etc.

>Or should one of the many policies already defined be leveraged?  I
have
>usability concerns when it comes to storing multiple policy syntaxes in
>the a directory server, one that integrates authentication for both
>LDAP-enabled and Kerberos-enabled applications.
> 
>Also, the information model for a Kerberos principle is similar (though
>more restricted) to that of the uid attribute.  Is yet another
>identity descriptor a good thing?

Yes I believe it is and this is what (again imo) what directory admini-
strators do - create multiple unique identifiers in the directory which
enables inter-namespace mapping. On the other hand I don't think this
schema is successfull in that respect or even faithfully represents the
way identities and aliases are handled in kerberos.

This is the reason why the schema has to be evaluated against the model.

Cheers Leif

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/kdc-schema/attachments/20050519/80b92113/attachment.htm

More information about the kdc-schema mailing list