more ldap concerns
Will Fiveash
William.Fiveash at sun.com
Mon Jun 5 17:49:15 EDT 2006
On Sun, Jun 04, 2006 at 12:21:39PM -0400, Sam Hartman wrote:
> >>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:
>
>
> Jeffrey> I question the utility of setting these parameters in the
> Jeffrey> directory at all. KDC configuration is not directory
> Jeffrey> information.
>
> Jeffrey> -- Jeff _______________________________________________
> Jeffrey> krbdev mailing list krbdev at mit.edu
> Jeffrey> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
> We believe that setting per-realm configuration in the directory is
> entirely reasonable as unlike the kdc configuration files the database
> will be replicated.
>
>
> I'm not sure what I think of the argument about whether this should be
> set by default.
I just think it makes more sense to default to not setting the
supported_enctype attribute in the realm object and making the admin
specify it on the command line. This is the paradigm (sort of) with the
current kdc.conf files where one has to explicitly set
supported_enctype.
> I tend to agree that supporting automatic upgrade of enctypes as new
> code is deployed would be nice. However having enctypes supported by
> default that are not on the krbtgt principal is not all that useful.
One can easily update the keys for the krbtgt principal (cpw -randkey).
Now the realm object must also be updated (one more thing to worry
about).
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list