Kerberos Backend for LDAP

Booker Bense bbense at SLAC.Stanford.EDU
Tue Apr 15 13:51:33 EDT 2003

On Tue, 15 Apr 2003, Matthew Smith wrote:

> Thank you for the reply! Luke has indeed responded to me as well, but I
> think I may have communicated the wrong idea.  I am looking to keep all
> the info stored in a KDC, but provide a bare LDAP interface to the
> "non-credential" data.  I would like the following:
> LDAP-Client <--->  LDAP Interface  <--->  KDC
> Where the LDAP client can now retrieve information of the form (for
> example):
> dn: krbprinc=myprinc, ou=REALM, dc=my2LD, dc=myTLD
> PrincExpiration:200407090000
> KrbLastModifyTime:200304150830
> LastLogin:200304150800
> ...etc...
> even though ALL this data remains stored in the KDC.
> Any thoughts on this type of architecure?  It seems to me that storing
> the credential information in LDAP (which was not built to be an
> authenticator, but rather a single-purpose DB) is a bad idea, so I would
> rather keep the credential store in Kerberos (built from ground up to be
> an authenticator), and simply provide a restricted LDAP "interface" to
> the informational fields in the KDC Database.

- There are quite a few people that think this kind of setup
would be a good idea. It would help in a lot of areas in which
kerberos is currently very weak or has missing standards.
Probably the biggest benefit would be a standardized admin
interface and an incremental replication protocol. Although
since LDAP lacks record locking, you'd have to be a bit

- As far as I know, nobody has implemented this. There are
a couple hare-brained schemes to put an LDAP back end on
a KDC, but that seems exactly the wrong thing to do. There
is an informational RFC for a schema which is at least the
first step. Now somebody needs to write an openLDAP back-end
which can talk to an existing KDC database. I don't think
this would be tremendously difficult, but nobody has yet
done it. It's been on my list of things I would like to
do if I could ever find the time (ie. convince my boss to
pay me to do. ). However, since my job is no longer very
much related to kerberos, the chances of my doing this
are slim. Here are my notes on the subject if you are
curious, they are several years out of date.

- Booker C. Bense

More information about the Kerberos mailing list