PKINIT and the schema? (Re: Lists of LDAP requirements

Sam Hartman hartmans at MIT.EDU
Fri Jul 21 14:58:54 EDT 2006

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> On Tue, Jul 18, 2006 at 02:23:15PM -0500, Will Fiveash
    Will> wrote:
    >> On Mon, Jul 17, 2006 at 05:37:07PM -0400, Sam Hartman wrote:
    >> > 
    >> > Hi.  Two weeks ago I asked people interested in working on
    >> the > LDAP plugin to send in the list of issues they want to
    >> see fixed for > 1.6.
    >> > 
    >> > I have only seen MIT's list.
    >> > 
    >> > I was sort of expecting something from at least Sun and
    >> Novell.
    >> I've attached the current set of Sun requested LDAP plugin
    >> issues.

    >> Sun Kerberos LDAP Plugin Requirements - I Schema

    Will> Will PKINIT impact the schema?  If so, does it make sense to
    Will> modify the current schema to support it?

Probably, some configurations of pkinit will benefit from being able
to use LDAP to specifically indicate what cert is used with what

I'm not entirely sure what the PKIXly correct way of doing that is.

I don't think we want to create a dependency between the pkinit and
LDAP projects although thinking about this from an extensibility
standpoint is probably good.

Long term, Kerberos principals may not have secret keys in LDAP.


More information about the krbdev mailing list