new error message/return code for kdb5_util unsupported commands
raeburn at MIT.EDU
Fri May 26 14:46:38 EDT 2006
On May 26, 2006, at 10:24, greg at enjellic.com wrote:
> I understand the motivations in sacrificing 15+ years of well
> documented security practices at the altar of manageability.
The assumption seems to be that the LDAP back end data (and service
implementation) is going to be as well protected as your KDC because
that's where you store all your account data etc; or, conversely,
authentication data is not seen as any more important than the rest.
Not true in some environments, but it probably is in others.
I haven't experimented with LDAP tools much, but purely for
administration of a Kerberos database, the protocol is probably no
worse than the special-purpose admin protocol MIT has (or the
different one Heimdal has). There's probably a lot there that a
kadmin type program doesn't need, but then again, the code probably
gets exercised more to get bugs shaken out.
> LDAP is a protocol not a database. Has anyone considered bolting an
> LDAP interface onto the KDC?
The idea has crossed my mind, but that's about as far as I've gone. :-)
> OpenLDAP already has a collection of back-ends. I've considered
> engineering an MIT/KDC implementation to add to the list. If someone
> can explain why this is wrong-headed I won't add it to my personal
> amusement list for the summer.
No reasons come to my mind. But like I said, I haven't worked with
LDAP much, and 95% of it's been with this new kdb back end...
More information about the krbdev