more ldap concerns
Ken Raeburn
raeburn at MIT.EDU
Fri Jun 2 18:28:19 EDT 2006
On Jun 2, 2006, at 17:18, Jeffrey Hutzelman wrote:
>> then the code uses an internal version of the
>> enctype parameter to determine what enctypes to use. This is good
>> because if the code is updated to support new enctypes, the k*.conf
>> files do not have to change. If you are specifying these
>> parameters in
>> various objects in the directory by default you are limiting the krb
>> code and possibly creating more work for the admin. I don't think
>> the
>> enctype parameters should be instantiated by default, only if the
>> admin
>> specifies the parameter settings via the command line.
>
> I question the utility of setting these parameters in the directory
> at all.
> KDC configuration is not directory information.
Things like this would presumably be per-realm configuration, not per-
KDC configuration.
Though, in fact, I don't think it's anything the KDC even looks at;
I'm not sure where in the code this list (or the "default enctype"
for the realm, a term that bothers me) is used. So I'm not sure what
it's intended for...
More information about the krbdev
mailing list