SASL/GSSAPI bind in LDAP plugin?

Will Fiveash William.Fiveash at
Thu Feb 16 17:47:45 EST 2006

On Thu, Feb 16, 2006 at 12:48:36PM -0800, Henry B. Hotz wrote:
> I don't think this answers the question.  If you're using Kerberized  
> replication utilities then you need to configure slave machines to  
> authenticate against an external kdc to bootstrap.  This has nothing  
> to do with LDAP back-ends.

I originally started this thread trying to understand a scenario like
the one pictured below (figure thanks to JavE):

   +-------+     +-------+       +-------+
   |  KDC  |     |  KDC  |       |  KDC  |
   +--|----+     +--+----+       +-.-'---+
       `-.          |           .-'
          `-.       |        .-'
             `.     |     .-'
               `-.  |  .-'
               | DS/KDC  |
               | (KDB)   |

I was wondering if how the KDCs not on the DS could do a SASL/GSSAPI
LDAP bind to the DS which uses Kerberos for auth.  I was not trying to
suggest this was the only way for a KDC to access a KDB stored in a

> As for who's running who:  well if the data is all in LDAP, then I  
> think that decision has already been made.  The kdc is just a  
> specialized front-end for the directory.
> In that architecture I would probably prefer to put the DS(s) and the  
> KDC(s) on the same machine(s) precisely to simplify (and better  
> secure) their interaction.

Sure but some may want a more flexible configuration.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list