MIT Incremental Propagation
Nicolas Williams
Nicolas.Williams at sun.com
Fri Sep 21 16:54:08 EDT 2007
On Fri, Sep 21, 2007 at 03:29:16PM -0500, John Hascall wrote:
> > There are plenty of LDAP servers suitable for backending the KDC that
> > support incremental and/or multi-master replication.
>
> That, I suppose, depends on your definition of "suitable".
> It certainly isn't suitable to me. The size of the KDC
> codebase is big enough to worry about, throwing something
> like an entire LDAP server into the mix is a whole 'nother
> kettle of fish.
Maybe. If you run the LDAP servers for the KDC backend such that only
the KDCs can be clients of it, with proper packet filtering, then there
won't be much room for new attack vectors.
Whereas if you use an LDAP server infrastructure that's also used for
other things, like name services, then you'd be exposing the KDCs to
attack via hostile (p0wned) directory services.
Nico
--
More information about the Kerberos
mailing list