[Kerberos] Kerberos + OpenLDAP
quanah at stanford.edu
Thu Mar 1 13:39:09 EST 2007
--On Thursday, March 01, 2007 12:09 AM -0600 g.w at hurderos.org wrote:
> On Feb 28, 1:21pm, "Apache Directory Developers List" wrote:
> } Subject: Re: [Kerberos] Kerberos + OpenLDAP
> Good evening to everyone.
>> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
>> <enriquer9 at gmail.com> wrote:
>> > Use 'ldap' for LDAP:
>> > krb5PrincipalName: ldap/www.example.com at EXAMPLE.COM
>> Although this is the attribute I use for my OpenLDAP directories, I
>> will note that this attribute is not the part of any RFC standard.
>> In fact, there is no RFC standardized way of storing Kerberos
>> principals in a directory that I'm aware of. I raised this issue to
>> MIT and Heimdal once, and apparently they are "working" on
>> something. But that was several years ago.
> The situation may have effectively changed now.
> I'm polishing off the details of a kadmin back-end for OpenLDAP. The
> goal of this work is to be able to manage an MIT KDC implementation by
> running an OpenLDAP server rather than kadmind on the KDC. Putting
> this into effective use requires some thought on how to develop an LDAP
> based abstraction for a KDC entry.
> I looked at a number of schema representations. Its not an RFC but
> the most logical abstraction to use seemed to be the schema which
> Novell developed for the LDAP back-end to MIT Kerberos. The 1.6
> sources have the schema in the following location:
> I believe some effort was placed into coordinating schema details
> between Novell, SUN, MIT and Heimdal if I'm not mistaken.
Thanks for the update. It would be nice to see such a schema RFC tracked
so that it gets included by default with various LDAP providers.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
More information about the krbdev