SASL/GSSAPI bind in LDAP plugin?
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Feb 16 15:48:36 EST 2006
On Feb 16, 2006, at 9:02 AM, krbdev-request at mit.edu wrote:
> Date: Wed, 15 Feb 2006 17:54:56 -0600
> From: Nicolas Williams <Nicolas.Williams at sun.com>
> Subject: Re: SASL/GSSAPI bind in LDAP plugin?
> To: Sam Hartman <hartmans at MIT.EDU>
> Cc: MIT Kerberos Dev List <krbdev at mit.edu>
> Message-ID: <20060215235456.GK9977 at binky.Central.Sun.COM>
> Content-Type: text/plain; charset=utf-8
>
> On Wed, Feb 15, 2006 at 06:30:59PM -0500, Sam Hartman wrote:
>>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
>>
>> Nicolas> On Wed, Feb 15, 2006 at 12:34:40PM -0500, Sam Hartman
>> Nicolas> wrote:
>>>> I think that what you want to do is have at least one KDC on a
>>>> directory server and use SASL external with a unix domain
>>>> socket.
>>
>> Nicolas> Sigh.
>>
>> what's wrong with my suggestion?
>
> KDCs relying on KDCs to bootstrap?
I don't think this answers the question. If you're using Kerberized
replication utilities then you need to configure slave machines to
authenticate against an external kdc to bootstrap. This has nothing
to do with LDAP back-ends.
As for who's running who: well if the data is all in LDAP, then I
think that decision has already been made. The kdc is just a
specialized front-end for the directory.
In that architecture I would probably prefer to put the DS(s) and the
KDC(s) on the same machine(s) precisely to simplify (and better
secure) their interaction.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list