Is Kerberos manageable on large scale?

Sam Hartman hartmans at MIT.EDU
Tue Mar 30 15:46:41 EST 2004


>>>>> "Alberto" == Alberto Patino <jalbertop at aranea.com.mx> writes:

    Alberto> We have a interface to manage accounts in the kerberos
    Alberto> realm, but using a LDAP backend as the KDC
    Alberto> database. Unfortunately MIT has no such interface. We use
    Alberto> heimdal instead. I think MIT is reluctant to provide a
    Alberto> LDAP backend.

We'd be happy to provide an LDAP backend, although we don't see why it
would actually be useful to people.

When/if we migrate to supporting multiple backends, we plan to sign
the entries in the backend.  We want to make sure that the kadmind
service or some other Kerberos specific code is involved in moderating
any administration request.

I.E. if your Kerberos database is in LDAP, only the KDC or
administration service should modify the data in LDAP.

We consider the question of providing an LDAP-based administration
protocol completely separate from the question of providing an LDAP
backend.  We'd also be interested in an LDAP-based admin protocol.
You'd want a plugin for your LDAP server to go make Kerberos
administration requests in response to LDAP PDUs.

--Sam



More information about the Kerberos mailing list