new error message/return code for kdb5_util unsupported commands
hartmans at MIT.EDU
Wed May 31 12:07:00 EDT 2006
>>>>> "greg" == greg <greg at enjellic.com> writes:
greg> On May 24, 8:39pm, Will Fiveash wrote: } Subject: new error
greg> message/return code for kdb5_util unsupported commands
greg> Good morning, hope everyone's day is starting well.
greg> I understand the motivations in sacrificing 15+ years of
greg> well documented security practices at the altar of
greg> manageability. I don't agree with them but do understand
greg> them. Watching 4 months of dialogue on this issue causes me
greg> to believe the horse is being approached from the wrong end,
greg> which tends to result in getting kicked in the privates.
greg> LDAP is a protocol not a database. Has anyone considered
greg> bolting an LDAP interface onto the KDC?
Yes. For many years, this was the approach I favored. I'd still like
to do that. However it doesn't actually meet everyone's needs.
People want to use LDAP implementations because of their ability to
handle replication and because they want the data to live in one place
That requires having an LDAP backend to the databse.
You might want an LDAP admin protocol for managability. What we
provide does not actually give you that (although people will
doubtless hurt themselves assuming they have it). As an example, the
way keys are stored in this protocol is not what you would want for an
admin protocol although it is reasonably OK for our implementation's
I do still believe an admin schema is needed and I do hope that we do
that work. I also hope that we have frontends that speak that admin
schema. However no one seems interested in writing that code.
More information about the krbdev