openldap principal

g.w@hurderos.org g.w at hurderos.org
Wed Jul 7 12:15:05 EDT 2004 

On Jul 1, 10:06pm, Frederic Medery wrote:
} Subject: openldap principal

> Hello Everybody,

Good morning, hope the day is going well for everyone.

> My goal : replace nis with ldap /kerberos

Depending on our timeframe you may want to take a look at the Hurderos
Project.  Its a GPL'ed project for managing this type of environment.
More information can be found at:

	http://www.hurderos.org

Our goal for the 1.0.0 release is a solid platform for managing a
simple integrated LDAP/Kerberos environment.  We are hoping that
September 1st will be a reasonable target date to accomplish that.

> I just read the Kerberos and the LDAP book (O'Reilly).
> I also read some how-to on the web
> 
> I know that I have to create a ldap/host at REALM for the ldap server.
> I Have to create a ldapadmin user (configured in the slapd.conf)
> 
> My question is : Do I have to create all the users principal or  when I 
> create a ldap user, do i have to create it inside kerberos of the ldap 
> admin principal with create it for me ?

In a classical split identification/authentication environment there
is a requirement to populate the LDAP directory with a user
identification object and the KDC with a user authentication identity.

In the Hurderos single-identity/services model this is handled by
creating separate service identities which are bound to the intrinsic
user identity.  The creation/binding of the service identity instances
trips off the service provisioning system which manages the details of
actually stuffing the appropriate information into the LDAP directory
server and the KDC.

All of this gets handled inside of something called ISME (Identity &
Services Management Engine) and is transparent to whoever is actually
managing or administrating the system with a GUI.  Conceptually the
above operation translates into finding the user, right-clicking on
them and selecting the AUTHENTICATION and IDENTITY services.

There still needs to be an ldap/HOSTNAME at REALM principal created with
an appropriate keytab on the target server.  We are teaching ISME to
handle this (provided the server is boot-strapped with a host
principal) when the server identity is created and the service
identity gets bound to it.

There is no concept of an LDAP administrative user per se.  The
IDENTITY service has both an intrinsic identity and an authentication
identity, the latter of which ISME uses to authenticate the directory
transactions.

> thanks !
> 
> F

I will spare the list further self-indulgence.  Let me know via e-mail
if you have any questions.

Best wishes for a productive end of the week.

}-- End of excerpt from Frederic Medery

As always,
GW

------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list