SASL/GSSAPI bind in LDAP plugin?

Nicolas Williams Nicolas.Williams at
Thu Feb 16 16:20:20 EST 2006

On Thu, Feb 16, 2006 at 12:48:36PM -0800, Henry B. Hotz wrote:
> On Feb 16, 2006, at 9:02 AM, krbdev-request at wrote:
> >> what's wrong with my suggestion?
> >
> > KDCs relying on KDCs to bootstrap?
> I don't think this answers the question.

But the next paragraph did -- I thought Sam wanted the ability to
separate the KDC and the DS.

>                                           If you're using Kerberized  
> replication utilities then you need to configure slave machines to  
> authenticate against an external kdc to bootstrap.  This has nothing  
> to do with LDAP back-ends.
> As for who's running who:  well if the data is all in LDAP, then I  
> think that decision has already been made.  The kdc is just a  
> specialized front-end for the directory.
> In that architecture I would probably prefer to put the DS(s) and the  
> KDC(s) on the same machine(s) precisely to simplify (and better  
> secure) their interaction.

Me too.  But I thought Sam didn't want this, which is why I was
surprised by his answer.


More information about the krbdev mailing list