Associating Kerberos identities to LDAP object

Sam Hartman hartmans at MIT.EDU
Wed Jul 26 08:13:27 EDT 2006

>>>>> "Praveenkumar" == Praveenkumar Sahukar <psahukar at> writes:

    Praveenkumar> Additional kerberos identities will be created as
    Praveenkumar> separate krbprincipal objects. The krbprincipal
    Praveenkumar> objects will be created either in a separate
    Praveenkumar> container under realm's subtree or directly under
    Praveenkumar> the realm's subtree.  If a separate container under
    Praveenkumar> realm's subtree is dedicated for the additional
    Praveenkumar> principals then the information of this separate
    Praveenkumar> container will be stored in the realm container
    Praveenkumar> object.

First, I think that asserting the first principal will extend the
directory object is problematic.  I think you want to explicitly
distinguish between the containment and association cases; see my
previous mail.  I believe that for example you would want containment
when a principal is very tightly bound to some object.  For example
the host principal and a host object; the user principal and the user
object.  Other principals--services on a host, additional instances,
tc should be associated.

  Do you need to limit where these objects can live for
read or write?  I understand you need to limit where these objects are
created by your code, but can you just find the principal object
wherever it exists?

    Praveenkumar> Two way links between the LDAP object and the
    Praveenkumar> krbprincipal object will be created.

    Pr Why do you need two way links?  If you have two way links they
can get out of sync.

More information about the krbdev mailing list