Kerberos OpenLDAP Frontend

Russ Allbery rra at
Fri Oct 5 14:54:55 EDT 2007

Simon Wilkinson <simon at> writes:

> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format, but
> you'd be able to access it through an overlay on your OpenLDAP server,
> which would translate LDAP actions into kadmin RPCs.

Having done a bit of Active Directory munging over LDAP, I don't think
LDAP makes a very appealing kadmin protocol, although it may be better
with a better data model than Active Directory offers.  (Separating flags
out into separate attributes, for example, rather than using a bitmask in
one attribute.)

LDAP is an extremely heavy-weight and complex protocol, although it does
have the advantage of having stable libraries and a reasonable
authentication structure.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list