kinit failure with Kerberos and LDAP backend

Rainer Laatsch Laatsch at
Tue Oct 30 15:36:51 EDT 2012

Thank you very much for clarifying this issue-
Best regards
R. Laatsch

On Tue, 30 Oct 2012, Booker Bense wrote:

> On Tue, Oct 30, 2012 at 11:57 AM, Rainer Laatsch <Laatsch at> wrote:
>> On Fri, 26 Oct 2012, Booker Bense wrote:
>>> Do yourself a big favor and put kerberos entities in ou=Accounts.
>>> There is not a one to one
>>> relationship between accounts and people and you will make your life
>>> much easier in the
>>> future if you clearly make the split now.
>> How and when would errors show up (if no split) ?
> There would not be errors per se, but ideally you'd like to use the ldap
> interface for more than just kerberos. There are many attributes that
> should apply to a Person, that don't map well to an Account, particularly
> if people end up having more than one account. If you stick with just
> accounts and people have more than one account, you run into real
> problems if you want to store data about the person and not just the account.
> ( Simple example, Name changes when people get married, etc... )
> And you also avoid the issue of confusing identity with privilege. Separating
> People and Accounts will help you avoid the authorization issues that
> arise if you can't
> clearly separate identity from authorization.
> 12+ years ago when I was involved in the design of the Stanford
> SunetID system we spend
> a lot of time going back and forth about the pros and cons of each
> approach. I think time
> has clearly shown that splitting them into two buckets was the right choice.
> - Booker C. Bense

More information about the Kerberos mailing list