[478] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu May 4 00:25:31 2000

Message-Id: <200005040425.AAA05995@ginger.cmf.nrl.navy.mil>
To: ietf-cat-wg@lists.Stanford.EDU, krb-protocol@MIT.EDU
In-Reply-To: Your message of "02 May 2000 16:55:43 PDT."
             <yln1m8mrr4.fsf@windlord.stanford.edu> 
Date: Thu, 04 May 2000 00:25:17 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>Doing the authorization queries against an external database using the
>Kerberos identity information as the key works.  We've widely deployed it
>and related systems at Stanford for a variety of different applications,
>and in fact using LDAP for this seems to scale even better than a standard
>Kerberos server setup.  LDAP has real-time replication, something akin to
>commits and rollbacks, changelogs that can be replayed, and lots of other
>protocol infrastructure aimed at solving the distribution, scaling, and
>replication problems even better than Kerberos's support for multiple
>authentication servers.

I feel I must point out that this is technically _not_ a feature of LDAP
per se, but the LDAP implementations.  You could do the same things with
Kerberos, and some of the commercial versions have done that; it's just
that no one has (yet) spent the time & energy in the freeware Kerberos
versions that are out there.

--Ken

home help back first fref pref prev next nref lref last post