Associating Kerberos identities to LDAP object
psahukar at novell.com
Tue Jul 25 06:34:25 EDT 2006
One LDAP identity can be associated with many kerberos identities from
the same or different realm. So all the kerberos identities' information
needs to be associated with the LDAP identity. The approach that we have
taken is as follows
The first principal identity will be on the LDAP object (by extending
Additional kerberos identities will be created as separate krbprincipal
objects. The krbprincipal objects will be created either in a separate
container under realm's subtree or directly under the realm's subtree.
If a separate container under realm's subtree is dedicated for the
additional principals then the information of this separate container
will be stored in the realm container object.
Two way links between the LDAP object and the krbprincipal object will
Any comments / suggestions on this approach is welcome.
More information about the krbdev