Associating Kerberos identities to LDAP object

Praveenkumar Sahukar psahukar at
Tue Jul 25 06:34:25 EDT 2006


One LDAP identity can be associated with many kerberos identities from
the same or different realm. So all the kerberos identities' information
needs to be associated with the LDAP identity. The approach that we have
taken is as follows

The first principal identity will be on the LDAP object (by extending
aux class). 

Additional kerberos identities will be created as separate krbprincipal
objects. The krbprincipal objects will be created either in a separate
container under realm's subtree or directly under the realm's subtree.
If a separate container under realm's subtree is dedicated for the
additional principals then the information of this separate container
will be stored in the realm container object. 

Two way links between the LDAP object and the krbprincipal object will
be created. 

Any comments / suggestions on this approach is welcome.

Praveen Kumar

More information about the krbdev mailing list