LDAP KDB

Matthew J. Smith matt.smith at uconn.edu
Wed Jan 24 09:09:40 EST 2007 

  Along the same lines, I find my comfort level much higher using MIT
Kerberos as a security mechanism, and separately OpenLDAP (or any LDAP)
as a directory server.  Using a large piece of software originally
designed, built, and optimized for directory services as a security
mechanism seems dangerous to me, compared with using software designed,
built, and optimized from the ground up as a security mechanism.

  However, conversely, I would love to see a LDAP replacement for the
kadmin protocol.  I am not looking for an LDAP implementation worthy of
being called a true directory server, but rather simply a GSSAPI
authenticated, TLS protected, LDAP enabled interface for
adding/removing/managing users/acls/policies within the existing
Kerberos database.

  I pondered a back-kadmin for OpenLDAP for a while, but my C skills are
rather rusty.  Has anyone else considered this path, or is it just a bad
idea?

Just my $0.03,
-Matt

On Wed, 2007-01-24 at 11:36 +1300, Edward Murrell wrote:
> Possibly wandering off topic here, but I feel it's worth mentioning;
> 
> Having used OpenLDAP and Kerberos, I must say that I wouldn't do this.
> I can see why people would want to, but my experience with the two bits of
> software has left me with a sour taste when it comes to OpenLDAP,
> especially with regards to replication.
> 
> Granted, most of the problems seem to have been caused by either the BDB
> backend on OpenLDAP, or my own damn fault (schema problems, improper
> copies of replication data, flat out bad configuration, etc), but I have
> actually yet to break MIT KRB5, despite the weird and wonderful setups I
> have pushed through it, whereas OpenLDAP seems to fall over at the drop
> of that hat (or worse yet, half falls over, and doesn't tell you). Maybe
> I've done something wrong, but the fact that I've had to recreate my
> LDAP database at least five times in the past two years has left me a
> little hesitant about it.
> 
> In any case, I'd thought I'd put a note here. If you're planning a new
> installation from scratch, using the KDB Kerberos in LDAP method...
> Don't. In fact, while I'm on this topic, my recommendation is to set
> things up in the following order;
> 
> DNS
> Kerberos
> LDAP (using Kerberos for authentication of replicas).
> 
> Regards
> Edward Murrell
> 
> Ken Raeburn wrote:
> > On Jan 22, 2007, at 4:39, Enrico M. V. Fasanelli wrote:
> >   
> >> Dear Kerberos/LDAP gurus
> >>
> >> I've seen that the 1.6 MIT release includes support for storing the  
> >> database into an LDAP server.
> >>
> >> My apologies for the dummy question, but what are the advantages of  
> >> putting the database into LDAP?
> >>     
> >
> > Integration with other LDAP-based account administration, especially  
> > if Kerberos is being added to an environment already using LDAP;  
> > automatic and immediate synchronization between all KDCs and kadmin  
> > servers and password-change servers as changes are made....
> >
> > Ken
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >   
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Matthew J. Smith <matt.smith at uconn.edu>
University of Connecticut UITS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070124/9db941c1/attachment.bin

More information about the Kerberos mailing list