new error message/return code for kdb5_util unsupported commands

Ken Raeburn raeburn at MIT.EDU
Fri May 26 14:46:38 EDT 2006

On May 26, 2006, at 10:24, greg at wrote:
> I understand the motivations in sacrificing 15+ years of well
> documented security practices at the altar of manageability.

The assumption seems to be that the LDAP back end data (and service  
implementation) is going to be as well protected as your KDC because  
that's where you store all your account data etc; or, conversely,  
authentication data is not seen as any more important than the rest.   
Not true in some environments, but it probably is in others.

I haven't experimented with LDAP tools much, but purely for  
administration of a Kerberos database, the protocol is probably no  
worse than the special-purpose admin protocol MIT has (or the  
different one Heimdal has).  There's probably a lot there that a  
kadmin type program doesn't need, but then again, the code probably  
gets exercised more to get bugs shaken out.

> LDAP is a protocol not a database.  Has anyone considered bolting an
> LDAP interface onto the KDC?

The idea has crossed my mind, but that's about as far as I've gone. :-)

> OpenLDAP already has a collection of back-ends.  I've considered
> engineering an MIT/KDC implementation to add to the list.  If someone
> can explain why this is wrong-headed I won't add it to my personal
> amusement list for the summer.

No reasons come to my mind.  But like I said, I haven't worked with  
LDAP much, and 95% of it's been with this new kdb back end...


More information about the krbdev mailing list