An alternative plan for principal mapping

Luke Howard lukeh at
Sun Jul 30 09:56:54 EDT 2006

>1. The KDC should apply the user's login policies and password policies
>to the
>   principal. 

One problem with this approach is that there is no directory
server agnostic way to apply logon policy, auditing, etc, if
you are not actually binding to the directory as the client.
(Unless you assume that the LDAP password policy draft will
gain widespread traction. I concede that is a possibility,
but it still has the problem of duplicating the authorization
code path.)

I have often thought that it would be useful to specify
an LDAP control that could be used when looking up a principal,
to request that the directory server enforce the policy it
would apply if the principal was binding directly. The control
could allow the authentication authority (the KDC) to convey
logon time, end address, etc.

Another approach would be to use an extended operation but
the control approach has the advantage of avoiding a round
trip to the directory.

Note that RFC 4370 is insufficient to implement this, because
the client will typically have less directory privileges than
the authentication authority.

-- Luke


More information about the krbdev mailing list