Is Kerberos manageable on large scale?

[Alberto Patino]

On Tue, 2004-03-30 at 13:12, Richard Gundersen wrote:
> Hi
> 
> I am evaluating the suitability of Kerberos for a large scale implementation 
> (100's of users), where the apps will primarily be running on Java App 
> servers. I have MIT working in a test environment (Linux server, Windows 
> clients, custom Java apps) but I'm worried about how easy it is to manage 
> principles etc etc on a large scale.
We plan to manage +100000 users in a kerberos realm.
> 
> Kadmin works fine at the current scale but in a real implementation I don't 
> want to have to use kadmin from the console to manage user. In fact this job 
> will be given to a userwho will certainly not want to start writing 
> scripts/SSH'ing to the server.
> 
> Ideally a web app front end would be written - but so far from the 
> documentation and books I've read, there's no easy way to communicate with 
> kadmin (I'm thinking a nice C or Java API here). Surely this must be 
> possible with one of the open source versions available.
We have a interface to manage accounts in the kerberos realm, but using a LDAP backend 
as the KDC database. Unfortunately MIT has no such interface. We use
heimdal instead. I think MIT is reluctant to provide a LDAP backend.