[Kerberos] Kerberos + OpenLDAP

[Quanah Gibson-Mount]

--On Thursday, March 01, 2007 12:09 AM -0600 g.w at hurderos.org wrote:

> On Feb 28,  1:21pm, "Apache Directory Developers List" wrote:
> } Subject: Re: [Kerberos] Kerberos + OpenLDAP
>
> Good evening to everyone.
>
>> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
>> <enriquer9 at gmail.com> wrote:
>>
>> > Use 'ldap' for LDAP:
>> > krb5PrincipalName: ldap/www.example.com at EXAMPLE.COM
>
>> Although this is the attribute I use for my OpenLDAP directories, I
>> will note that this attribute is not the part of any RFC standard.
>> In fact, there is no RFC standardized way of storing Kerberos
>> principals in a directory that I'm aware of.  I raised this issue to
>> MIT and Heimdal once, and apparently they are "working" on
>> something.  But that was several years ago.
>
> The situation may have effectively changed now.
>
> I'm polishing off the details of a kadmin back-end for OpenLDAP.  The
> goal of this work is to be able to manage an MIT KDC implementation by
> running an OpenLDAP server rather than kadmind on the KDC.  Putting
> this into effective use requires some thought on how to develop an LDAP
> based abstraction for a KDC entry.
>
> I looked at a number of schema representations.  Its not an RFC but
> the most logical abstraction to use seemed to be the schema which
> Novell developed for the LDAP back-end to MIT Kerberos.  The 1.6
> sources have the schema in the following location:
>
> krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
>
> I believe some effort was placed into coordinating schema details
> between Novell, SUN, MIT and Heimdal if I'm not mistaken.

Greg,

Thanks for the update.  It would be nice to see such a schema RFC tracked 
so that it gets included by default with various LDAP providers.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html