LDAP Schema Design Suggestions?

Henry B. Hotz hotz at jpl.nasa.gov
Tue Oct 24 21:19:04 EDT 2006

No, I'm not talking about using LDAP to store the back-end for a KDC.

I'm wondering if there are any thoughts or wisdom related to RFC 2307  
(or successors) about how to store meta-information about Kerberos  
principals.  That RFC defines schema's for "machines" and things with  
IP numbers.  I also need to associate an "owner" for non-people  

Probably incomplete list of information needed for non-people  

Owner (either a uid for a given search base, or else a real-person  
Backup Owner (in case the primary vanishes)
Renewal Date (so we can clean up, and maybe rotate keys)
Maybe a reference to the machine entry, if it isn't part of the  
machine entry already.

For a machine, maybe a list of service principals extant?

Excuse the stream-of-consciousness presentation.  Trying to put this  
in more formal requirements:

A machine may have multiple IP numbers.

An IP number may have multiple service principals.

A service principal has (at least) an owner, backup owner, and  
renewal date.  (Maybe some duplicated info from the Kerberos DB.)

A service principal may be used to bind to LDAP (to get info about  

Are there any standard object classes (besides what's in 2307) that I  
might use?  Any suggestions, comments?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list