Heimdal KDC, Windows XP and local users

Javier Palacios javiplx at gmail.com
Mon Jan 14 07:38:05 EST 2008


> > You don't need two databases. Both heimdal and MIT current versions
> > allow LDAP as "database" for credentials so you have a single
> > database. I've not used MIT, but I've been using heimdal-ldap for a
> > long time without problems.
>
> This is true. I'm doing the same with heimdal as you. But if there are
> security concerns about storing kerberos credentials in LDAP, then you
> need 2 databases. A KDC doesn't store other things than credentials in
> its native database.

Having encrypted keys (mkey_file) and strict ACL for ldap access
covers online and backup security. And as root can read everything
that's enough for me.

Javier Palacios



More information about the Kerberos mailing list