PKINIT and the schema? (Re: Lists of LDAP requirements
Sam Hartman
hartmans at MIT.EDU
Fri Jul 21 14:58:54 EDT 2006
>>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
Will> On Tue, Jul 18, 2006 at 02:23:15PM -0500, Will Fiveash
Will> wrote:
>> On Mon, Jul 17, 2006 at 05:37:07PM -0400, Sam Hartman wrote:
>> >
>> > Hi. Two weeks ago I asked people interested in working on
>> the > LDAP plugin to send in the list of issues they want to
>> see fixed for > 1.6.
>> >
>> > I have only seen MIT's list.
>> >
>> > I was sort of expecting something from at least Sun and
>> Novell.
>>
>> I've attached the current set of Sun requested LDAP plugin
>> issues.
>> Sun Kerberos LDAP Plugin Requirements - I Schema
Will> Will PKINIT impact the schema? If so, does it make sense to
Will> modify the current schema to support it?
Probably, some configurations of pkinit will benefit from being able
to use LDAP to specifically indicate what cert is used with what
principal.
I'm not entirely sure what the PKIXly correct way of doing that is.
I don't think we want to create a dependency between the pkinit and
LDAP projects although thinking about this from an extensibility
standpoint is probably good.
Long term, Kerberos principals may not have secret keys in LDAP.
--Sam
More information about the krbdev
mailing list