new error message/return code for kdb5_util unsupported commands

Sam Hartman hartmans at MIT.EDU
Wed May 31 12:07:00 EDT 2006

>>>>> "greg" == greg  <greg at> writes:

    greg> On May 24, 8:39pm, Will Fiveash wrote: } Subject: new error
    greg> message/return code for kdb5_util unsupported commands

    greg> Good morning, hope everyone's day is starting well.
    greg> I understand the motivations in sacrificing 15+ years of
    greg> well documented security practices at the altar of
    greg> manageability.  I don't agree with them but do understand
    greg> them.  Watching 4 months of dialogue on this issue causes me
    greg> to believe the horse is being approached from the wrong end,
    greg> which tends to result in getting kicked in the privates.

    greg> LDAP is a protocol not a database.  Has anyone considered
    greg> bolting an LDAP interface onto the KDC?

Yes.  For many years, this was the approach I favored.  I'd still like
to do that.  However it doesn't actually meet everyone's needs.

People want to use LDAP implementations because of their ability to
handle replication and because they want the data to live in one place
for backups.

That requires having an LDAP backend to the databse.

You might want an LDAP admin protocol for managability.  What we
provide does not actually give you that (although people will
doubtless hurt themselves assuming they have it).  As an example, the
way keys are stored in this protocol is not what you would want for an
admin protocol although it is reasonably OK for our implementation's

I do still believe an admin schema is needed and I do hope that we do
that work.  I also hope that we have frontends that speak that admin
schema.  However no one seems interested in writing that code.


More information about the krbdev mailing list