Is Kerberos manageable on large scale?

[Alberto Patino]

On Tue, 2004-03-30 at 14:46, Sam Hartman wrote:
> >>>>> "Alberto" == Alberto Patino <jalbertop at aranea.com.mx> writes:
> 
>     Alberto> We have a interface to manage accounts in the kerberos
>     Alberto> realm, but using a LDAP backend as the KDC
>     Alberto> database. Unfortunately MIT has no such interface. We use
>     Alberto> heimdal instead. I think MIT is reluctant to provide a
>     Alberto> LDAP backend.
> 
> We'd be happy to provide an LDAP backend, although we don't see why it
> would actually be useful to people.
Consider that we want to manage different platforms. Of course one of
them is MS. We have a few options to manage accounts in AD/MS KDC. One
of them is the LDAP protocol, so I don't want to rewrite the same
interface using the kadmin API so I hope to use the same LDAP interface
to manage accounts in other LDAP/KDC tuple. 

> When/if we migrate to supporting multiple backends, we plan to sign
> the entries in the backend.  We want to make sure that the kadmind
> service or some other Kerberos specific code is involved in moderating
> any administration request.
This sounds to me that we can provide a kadmin backend specific proxi,
but I think this is extra work to do.
> I.E. if your Kerberos database is in LDAP, only the KDC or
> administration service should modify the data in LDAP.
> 
> We consider the question of providing an LDAP-based administration
> protocol completely separate from the question of providing an LDAP
> backend.  We'd also be interested in an LDAP-based admin protocol.
> You'd want a plugin for your LDAP server to go make Kerberos
> administration requests in response to LDAP PDUs.
Yea, this could be the best approach but could we convince to MS to
adopt this interface? If we can, we would need to wait for these changes
to be implemented