kinit failure with Kerberos and LDAP backend

Russ Allbery rra at
Tue Oct 30 16:35:03 EDT 2012

Booker Bense <bbense at> writes:

> 12+ years ago when I was involved in the design of the Stanford SunetID
> system we spend a lot of time going back and forth about the pros and
> cons of each approach. I think time has clearly shown that splitting
> them into two buckets was the right choice.

I generally agree, although I'll warn that it's had some fairly
significant operational consequences, so it's not an obvious decision.
The biggest problem that we've had is with applications that need data
from both trees, since most applications are not designed to merge two
sets of LDAP data together.  This has primarily hit us with entitlements,
since sometimes you want entitlements that go with people and sometimes
you want entitlements with accounts.

Part of the problem is that, for historical reasons, we associated all
entitlements with people, which is actually the wrong thing to do.  Most
entitlements (and group membership) should be associated with the account,
so that you can properly represent people with multiple accounts that have
different levels of privilege (group membership and entitlements are the
main way that privilege is represented in practice).  But there are some
entitlements that are really based on the person (such as ones related to
affiliations) and should be inherited by the "primary" account.

We've now done a bunch of work to replicate the entitlements from the
person entry to the directory entry for the primary account for that
person, and we're still debugging that process.  Everything would have
been somewhat smoother if we'd anticipated that from the start.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list