PKINIT and the schema? (Re: Lists of LDAP requirements
Chaskiel M Grundman
cg2v at andrew.cmu.edu
Thu Jul 20 18:17:05 EDT 2006
--On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash
<William.Fiveash at sun.com> wrote:
> Will PKINIT impact the schema?
The required-to-implement pkinit certificate mapping algorithm does not
require the kdc to store mapping data: the certificate must have a subject
alternative name of type id-pkinit-san which contains a kerberos principal
name.
Of course, MIT (or novell, sun, etc) may want to implement a mapping
policy that allows certificates to be used with pkinit that were not issued
specifically with pkinit in mind.
Such a thing would impact the schema, but you'd really need to have an idea
of what that mapping policy (or mapping policy framework, if you want to be
that generic) will be in order to design ldap schema for it.
More information about the krbdev
mailing list