need help with LDAP plug-in code and liblber dependency

Sam Hartman hartmans at MIT.EDU
Thu May 25 22:02:50 EDT 2006

>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:

    Ken> On May 25, 2006, at 21:25, Sam Hartman wrote:
    >> Wait, why does the ldap command need to bind using a different
    >> identity than the kdc will use?

    Ken> I would expect in some configurations the KDC would have
    Ken> read-only access, the kadmind, if you run one, would have
    Ken> write access in places but would not be permitted to create
    Ken> or modify a realm container, etc.  So the administrator
    Ken> setting up the realm may need privileges that none of the
    Ken> server programs have.


I'm a bit concerned that we managed to hard-code authentication types
in places.  n particular the KDC and kadmind require ssl and for
example cannot use sasl auth.  The client appears to require password
auth and for example cannot use sasl or ssl certs.

This seems undesirable.

More information about the krbdev mailing list