Kerberos Backend for LDAP

Matthew Smith matt at
Wed Apr 16 15:52:19 EDT 2003

Booker Bense wrote:
> On Tue, 15 Apr 2003, Sam Hartman wrote:
>>>>>>>"Booker" == Booker Bense <bbense at SLAC.Stanford.EDU> writes:
>>    Booker> - There are quite a few people that think this kind of
>>    Booker> setup would be a good idea. It would help in a lot of
>>    Booker> areas in which kerberos is currently very weak or has
>>    Booker> missing standards.  Probably the biggest benefit would be
>>    Booker> a standardized admin interface and an incremental
>>    Booker> replication protocol. Although since LDAP lacks record
>>    Booker> locking, you'd have to be a bit careful.
>>I don't think you can get both from the same approach.
> - I don't follow the logic here, but since nobody's working on it
> I think it's a dead issue. If I can add/change/delete entries as
> an admin, why can't I do it as a program? I've implemented such
> an approach between K4 and K5, I don't see why it wouldn't work
> between K5 and K5? It does require a single choke point and a
> queueing system of some sort.
>>And I'm not
>>convinced that LDAP replication is really enough for Kerberos's needs.
> - As opposed to kprop? Outside of a perhaps increased security
> level what requirements does kerberos have that LDAP doesn't? Of
> course there is the gotcha that there is no current LDAP
> replication standard, but at least one is in the works.
> At sites deploying both MIT and W2k, ldap is already the defacto
> replication standard.
> - Booker C. Bense
> ________________________________________________
> Kerberos mailing list           Kerberos at

Disclaimer: I will admit, right off the bat, that I am not very familiar 
with OpenLDAP.
If there was a back-krb5 for OpenLDAP, would an unmodified slurpd be 
able to replicate the krb info, since slurpd just sees it as LDAP info? 
  Does slurpd use the LDAP interface for obtaining data to replicate, or 
does it tie in somewhere behind the scenes?

More information about the Kerberos mailing list