Win logon to a MIT Kerberos V KDC?
Luke Howard
lukeh at PADL.COM
Fri Sep 27 09:48:42 EDT 2002
> Luke> Adding support to a KDC for the PAC is not that difficult if
> Luke> you have a sensible architecture (for example, an integrated
> Luke> directory backend for the KDC). The difficulty lies in some
> Luke> of the other, unpublished, protocols which are necessary to
> Luke> domain logon.
>
>Isn't M$ publishing all the addition/changes to the LDAP/Kerberos
>protocol?
Not all of them, and there are other protocols other than Kerberos
that are necessary. Microsoft might license them to you, though:
http://www.microsoft.com/legal/protocols/
You will need to execute a non-disclosure agreement before they will
disclose the licensing terms.
>And 'integrated directory backend'. Couldn't that be a OpenLDAP2
>server tied with Kerberos (the way openldap2+heimdal combo does it)?
What, the one we wrote? :-) In principle, yes, but there a number of
other issues such as name canonicalization, that require changes to
the KDC frontend and Kerberos libraries as well as the backend.
The following article, although partly inaccurate, has a good summary
of what would be required:
http://www.usenix.org/publications/login/1998-5/brundrett.html
More information on our implementation is at:
http://www.padl.com/Research/XAD.html
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos
mailing list