SASL/GSSAPI bind in LDAP plugin? greg at
Wed Feb 22 11:53:12 EST 2006

On Feb 18,  9:07am, Andrew Bartlett wrote:
} Subject: Re: SASL/GSSAPI bind in LDAP plugin?

> On Thu, 2006-02-16 at 12:48 -0800, Henry B. Hotz wrote:

> > As for who's running who:  well if the data is all in LDAP, then I =20
> > think that decision has already been made.  The kdc is just a =20
> > specialized front-end for the directory.
> >=20
> > In that architecture I would probably prefer to put the DS(s) and the =20
> > KDC(s) on the same machine(s) precisely to simplify (and better =20
> > secure) their interaction.

> As such, it seems a very good idea to tightly bind KDCs to LDAP
> servers in an operational environment, particularly if it simplifies
> authentication.

I find it mystifying that anyone following this thread would conclude
this process is simplifying anything.

Identity (directory) stores and authentication stores are and should
be separate data repositories.  Combining the two is a wrong-headed
approach, IMHO.

If the KDC has its own authentication store it is trivially easy to
self-generate credentials to provide for secured communications from
the KDC to the DS.  I implemented that some time ago working on the
Hurderos stuff.

I can certainly understand the desire to clone existing products but
in this case trying to re-produce what Microsoft has done is certainly
wrong headed.  Authentication and authorization seems to be the one
field in OSS where the goal seems to be to blindly follow poor design
decisions, I find it mystifying considering the long term

We are trying to solve the lack of an integrated management framework
by mashing everything into a single database.  Somewhat strange
considering we have all grown up in an environment made powerful by
the synergy of properly integrated minimalistic tools.

> Andrew Bartlett


}-- End of excerpt from Andrew Bartlett

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
"Who cares about automated wafer steppers?"
                                -- Michael S. Malone

More information about the krbdev mailing list