[Kerberos] Kerberos + OpenLDAP

g.w@hurderos.org g.w at hurderos.org
Thu Mar 1 01:09:29 EST 2007 

On Feb 28,  1:21pm, "Apache Directory Developers List" wrote:
} Subject: Re: [Kerberos] Kerberos + OpenLDAP

Good evening to everyone.

> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez 
> <enriquer9 at gmail.com> wrote:
> 
> > Use 'ldap' for LDAP:
> > krb5PrincipalName: ldap/www.example.com at EXAMPLE.COM

> Although this is the attribute I use for my OpenLDAP directories, I
> will note that this attribute is not the part of any RFC standard.
> In fact, there is no RFC standardized way of storing Kerberos
> principals in a directory that I'm aware of.  I raised this issue to
> MIT and Heimdal once, and apparently they are "working" on
> something.  But that was several years ago.

The situation may have effectively changed now.

I'm polishing off the details of a kadmin back-end for OpenLDAP.  The
goal of this work is to be able to manage an MIT KDC implementation by
running an OpenLDAP server rather than kadmind on the KDC.  Putting
this into effective use requires some thought on how to develop an LDAP
based abstraction for a KDC entry.

I looked at a number of schema representations.  Its not an RFC but
the most logical abstraction to use seemed to be the schema which
Novell developed for the LDAP back-end to MIT Kerberos.  The 1.6
sources have the schema in the following location:

krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema

I believe some effort was placed into coordinating schema details
between Novell, SUN, MIT and Heimdal if I'm not mistaken.

I'm still sorting details but the schema seems to be sufficient to
support abstracting MIT kadmind functionality into an LDAP interface
definition.  Although mechanistically different ADS is essentially
faced with the problem of presenting the same type of abstraction.

It would seem logical for all these efforts to converge on a common
schema.  The above schema may be as good a place to start as any.

> --Quanah

Best wishes for a productive remainder of the week.

}-- End of excerpt from "Apache Directory Developers List"

As always,
Greg Wettstein

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"The avalanche has already started; it is too late for the pebbles to
 vote."
                                -- Kosh, "Believers", Babylon 5

More information about the krbdev mailing list