Is Kerberos manageable on large scale?

Sam Hartman hartmans at MIT.EDU
Tue Mar 30 16:40:15 EST 2004


>>>>> "Alberto" == Alberto Patino <jalbertop at aranea.com.mx> writes:

    Alberto> On Tue, 2004-03-30 at 14:46, Sam Hartman wrote:
    >> >>>>> "Alberto" == Alberto Patino <jalbertop at aranea.com.mx>
    >> writes:
    >> 
    Alberto> We have a interface to manage accounts in the kerberos
    Alberto> realm, but using a LDAP backend as the KDC
    Alberto> database. Unfortunately MIT has no such interface. We use
    Alberto> heimdal instead. I think MIT is reluctant to provide a
    Alberto> LDAP backend.
    >>  We'd be happy to provide an LDAP backend, although we don't
    >> see why it would actually be useful to people.
    Alberto> Consider that we want to manage different platforms. Of
    Alberto> course one of them is MS. We have a few options to manage
    Alberto> accounts in AD/MS KDC. One of them is the LDAP protocol,
    Alberto> so I don't want to rewrite the same interface using the
    Alberto> kadmin API so I hope to use the same LDAP interface to
    Alberto> manage accounts in other LDAP/KDC tuple.

So you want an LDAP admin protocol that has a schema compatible with
the MS schema.  You'd be happy if it was handled by an LDAP server
plugin or simply by modifying the direct LDAP database, provided that
one or the other existed.

Making an LDAP schema that is MS compatible is not really something
MIT is interested in doing, but it is something we are interested in
enabling third parties to do.

In cases where both the IETF and MS have solutions, we'd rather adopt
the IETF solution, allowing Samba, OS vendors and others interested in
MS interop to work on that aspect of the problem.

That said, while working iin the IETF context, we consider technology
submissions from MS just like everyone else.  When MS submits
technology the fact that they have a large deployed base makes
adopting their technology attractive.  As always, the IETF will
technically review the submissions and does not just rubber stamp
vendor submissions.  

In this particular case, MS has not submitted their schema for
consideration.  They have also not participated in discussions of the
LDAP schema within the IETF.




More information about the Kerberos mailing list