kinit failure with Kerberos and LDAP backend

Booker Bense bbense at
Tue Oct 30 15:22:10 EDT 2012

On Tue, Oct 30, 2012 at 11:57 AM, Rainer Laatsch <Laatsch at> wrote:
> On Fri, 26 Oct 2012, Booker Bense wrote:
>> Do yourself a big favor and put kerberos entities in ou=Accounts.
>> There is not a one to one
>> relationship between accounts and people and you will make your life
>> much easier in the
>> future if you clearly make the split now.
> How and when would errors show up (if no split) ?

There would not be errors per se, but ideally you'd like to use the ldap
interface for more than just kerberos. There are many attributes that
should apply to a Person, that don't map well to an Account, particularly
if people end up having more than one account. If you stick with just
accounts and people have more than one account, you run into real
problems if you want to store data about the person and not just the account.

( Simple example, Name changes when people get married, etc... )

And you also avoid the issue of confusing identity with privilege. Separating
People and Accounts will help you avoid the authorization issues that
arise if you can't
clearly separate identity from authorization.

12+ years ago when I was involved in the design of the Stanford
SunetID system we spend
a lot of time going back and forth about the pros and cons of each
approach. I think time
has clearly shown that splitting them into two buckets was the right choice.

- Booker C. Bense

More information about the Kerberos mailing list