Kerberos Backend for LDAP

Luke Howard lukeh at PADL.COM
Tue Apr 15 19:27:00 EDT 2003

Greg wrote:
>I believe that such a facility has been implemented for Heimdal
>Kerberos.  I don't have a URL at hand but you may want to take a look
>at their WEB site or Google for a combination of Heimdal and LDAP.  I
>suspect that Luke from PADL may chime in, I believe that they have
>implemented something like this as well.

Well, we wrote the Heimdal LDAP backend, but we also have a proprietary
LDAP backend for Heimdal that supports a different schema. This has
been discussed on this list in the past.

Sam wrote:
>1) A backend to allow a KDC to use LDAP to store principal data.  This
>   has been implemented for Heimdal.
>2) An interface to allow LDAP to be used to look at principal data.
>   There is ongoing work in the IETF to specify such an interface.

One point I would make is that, just as there are potential exposures
created by storing keys in the directory along with public directory
information, there are potential exposures created by having identity
information in many difference places with weak referential integrity.
There are a number of ways of dealing with this, but in the end we 
chose to go the principal-information-in-the-directory route.

Sam also wrote:
>I don't think you can get both from the same approach.  And I'm not
>convinced that LDAP replication is really enough for Kerberos's needs.

Because there is no standardized LDAP replication protocol, you can't
speak of "LDAP replication" in the general sense. Some directory
servers have good replication models, others not so good, others 
are evolving (witness the LCUP work in OpenLDAP HEAD).

One of our arguments in favour of an LDAP-backended KDC was the fact
that you get replication "for free".

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list