need help with LDAP plug-in code and liblber dependency
Sam Hartman
hartmans at MIT.EDU
Thu May 25 22:02:50 EDT 2006
>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:
Ken> On May 25, 2006, at 21:25, Sam Hartman wrote:
>> Wait, why does the ldap command need to bind using a different
>> identity than the kdc will use?
Ken> I would expect in some configurations the KDC would have
Ken> read-only access, the kadmind, if you run one, would have
Ken> write access in places but would not be permitted to create
Ken> or modify a realm container, etc. So the administrator
Ken> setting up the realm may need privileges that none of the
Ken> server programs have.
OK.
I'm a bit concerned that we managed to hard-code authentication types
in places. n particular the KDC and kadmind require ssl and for
example cannot use sasl auth. The client appears to require password
auth and for example cannot use sasl or ssl certs.
This seems undesirable.
More information about the krbdev
mailing list