An alternative plan for principal mapping

S Rahul srahul at
Tue Aug 1 01:15:54 EDT 2006

    We expect the directory to provide some LDAP extension / control to
enforce the login policy. In Novell eDirectory, we have two such
extensions - one to find out whether the user is allowed to login and
the other to update the directory with the result of the login attempt.
We expect other directories to use similar extensions / controls for
enforcing the policies.


-Rahul S.

Luke Howard wrote:
>> 1. The KDC should apply the user's login policies and password policies
>> to the
>>   principal. 
> One problem with this approach is that there is no directory
> server agnostic way to apply logon policy, auditing, etc, if
> you are not actually binding to the directory as the client.
> (Unless you assume that the LDAP password policy draft will
> gain widespread traction. I concede that is a possibility,
> but it still has the problem of duplicating the authorization
> code path.)
> I have often thought that it would be useful to specify
> an LDAP control that could be used when looking up a principal,
> to request that the directory server enforce the policy it
> would apply if the principal was binding directly. The control
> could allow the authentication authority (the KDC) to convey
> logon time, end address, etc.
> Another approach would be to use an extended operation but
> the control approach has the advantage of avoiding a round
> trip to the directory.
> Note that RFC 4370 is insufficient to implement this, because
> the client will typically have less directory privileges than
> the authentication authority.
> -- Luke

More information about the krbdev mailing list