new error message/return code for kdb5_util unsupported commands

greg@enjellic.com greg at enjellic.com
Thu Jun 1 10:29:47 EDT 2006 

On May 31, 11:48am, Jeffrey Hutzelman wrote:
} Subject: Re: new error message/return code for kdb5_util unsupported comma

Hi Jeff, thanks for the note.

> On Wednesday, May 31, 2006 09:55:02 AM -0500 greg at enjellic.com wrote:
> 
> > Using LDAP as the management protocol means people just need to agree
> > on a schema definition.  I'm assuming this agreement is already a
> > given considering the work with DAL.

> It's worth noting that there is a group of people who have been
> working for some time towards a standardized management protocol
> based on LDAP.  I'm fairly sure some of them read this list, and I'd
> suggest talking to them before going off and doing something from
> scratch.

Thats certainly interesting to know.  If any of them are listening I
would be interested in a pointer to what has been written to date on
this.

There would seem to be issues at two separate levels.  The most
immediate and practical concern is bolting an LDAP interface onto an
existing Kerberos KDC implementation.  It doesn't sound like anyone
has done this with MIT yet.

The second issue is with a standardized schema definition.  When you
say 'standardized management protocol based on LDAP' I'm assuming you
mean a schema definition.

The two problems should be essentially orthogonal.  Getting the basic
wiring in place is a matter of teaching an LDAP front-end to map
object updates/modifications into the context of a backing store.
Implemented properly a change in the object/attributes being mapped
should be a straight forward exercise.

> The IETF Kerberos WG has also been working on a standardized
> set/change password protocol which is nearly complete.  The new
> protocol also includes features to support management of keys (not
> necessarily derived from passwords).

Interesting, yet another protocol for people to interpret.  Given the
current context of discussion it would seem in the common interest to
implement an LDAP object definition rather than a protocol.

OTOH our own experiences are leading us to believe in the power of
XML.  The 'protocol' turns into the definition of a DTD describing the
transaction to be executed.  Validating parsers tend to make protocol
compliance straight forward.

> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>    School of Computer Science - Research Computing Facility
>    Carnegie Mellon University - Pittsburgh, PA

Thanks for the information, best wishes for a productive week.

}-- End of excerpt from Jeffrey Hutzelman

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686	    WEB:	http://www.hurderos.org
FAX: 701-281-3949           EMAIL:	greg at enjellic.com
------------------------------------------------------------------------------
"The POP3 server service depends on the SMTP server service, which failed
to start because of the following error:  The operation completed
succesfully."
                                -- Windows NT server v3.51

More information about the krbdev mailing list