Kerberos OpenLDAP Frontend

Russ Allbery rra at stanford.edu
Fri Oct 5 14:54:55 EDT 2007


Simon Wilkinson <simon at sxw.org.uk> writes:

> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format, but
> you'd be able to access it through an overlay on your OpenLDAP server,
> which would translate LDAP actions into kadmin RPCs.

Having done a bit of Active Directory munging over LDAP, I don't think
LDAP makes a very appealing kadmin protocol, although it may be better
with a better data model than Active Directory offers.  (Separating flags
out into separate attributes, for example, rather than using a bitmask in
one attribute.)

LDAP is an extremely heavy-weight and complex protocol, although it does
have the advantage of having stable libraries and a reasonable
authentication structure.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list