SASL/GSSAPI bind in LDAP plugin?
Nicolas.Williams at sun.com
Thu Feb 16 16:20:20 EST 2006
On Thu, Feb 16, 2006 at 12:48:36PM -0800, Henry B. Hotz wrote:
> On Feb 16, 2006, at 9:02 AM, krbdev-request at mit.edu wrote:
> >> what's wrong with my suggestion?
> > KDCs relying on KDCs to bootstrap?
> I don't think this answers the question.
But the next paragraph did -- I thought Sam wanted the ability to
separate the KDC and the DS.
> If you're using Kerberized
> replication utilities then you need to configure slave machines to
> authenticate against an external kdc to bootstrap. This has nothing
> to do with LDAP back-ends.
> As for who's running who: well if the data is all in LDAP, then I
> think that decision has already been made. The kdc is just a
> specialized front-end for the directory.
> In that architecture I would probably prefer to put the DS(s) and the
> KDC(s) on the same machine(s) precisely to simplify (and better
> secure) their interaction.
Me too. But I thought Sam didn't want this, which is why I was
surprised by his answer.
More information about the krbdev