SASL/GSSAPI bind in LDAP plugin?

Henry B. Hotz hotz at
Fri Feb 24 12:48:46 EST 2006

On Feb 23, 2006, at 6:37 PM, Sam Hartman wrote:

>>>>>> "greg" == greg  <greg at> writes:
>     greg> I find it mystifying that anyone following this thread  
> would conclude
>     greg> this process is simplifying anything.
>     greg> Identity (directory) stores and authentication stores are  
> and should
>     greg> be separate data repositories.  Combining the two is a  
> wrong-headed
>     greg> approach, IMHO.
> For most environments I tend to agree with you.
> I think that LDAP should be used as an admin protocol but not as a
> database storage protocol.
> The world, prompted by Microsoft's design choices, seems to disagree.
> --Sam

I think the world only cares about authorization, and you need  
something like LDAP to store the necessary information.  In the chaos  
that is currently typical the convenience and security issues that  
Kerberos solves are all secondary and not visible.  Splitting  
"authorization" into two different problems appears to be making the  
problem harder rather than solving it.

Even people who understand the issue may not have the charter to  
address it, because they are only responsible for the one, narrowly  
defined, end capability.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list