Kerberos Backend for LDAP

Booker Bense bbense at SLAC.Stanford.EDU
Wed Apr 16 14:00:15 EDT 2003


On Tue, 15 Apr 2003, Sam Hartman wrote:

> >>>>> "Booker" == Booker Bense <bbense at SLAC.Stanford.EDU> writes:
>
>     Booker> - There are quite a few people that think this kind of
>     Booker> setup would be a good idea. It would help in a lot of
>     Booker> areas in which kerberos is currently very weak or has
>     Booker> missing standards.  Probably the biggest benefit would be
>     Booker> a standardized admin interface and an incremental
>     Booker> replication protocol. Although since LDAP lacks record
>     Booker> locking, you'd have to be a bit careful.
>
> I don't think you can get both from the same approach.

- I don't follow the logic here, but since nobody's working on it
I think it's a dead issue. If I can add/change/delete entries as
an admin, why can't I do it as a program? I've implemented such
an approach between K4 and K5, I don't see why it wouldn't work
between K5 and K5? It does require a single choke point and a
queueing system of some sort.

> And I'm not
> convinced that LDAP replication is really enough for Kerberos's needs.
>

- As opposed to kprop? Outside of a perhaps increased security
level what requirements does kerberos have that LDAP doesn't? Of
course there is the gotcha that there is no current LDAP
replication standard, but at least one is in the works.
At sites deploying both MIT and W2k, ldap is already the defacto
replication standard.

- Booker C. Bense



More information about the Kerberos mailing list