[479] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu May 4 00:41:30 2000

To: ietf-cat-wg@lists.Stanford.EDU, krb-protocol@MIT.EDU
In-Reply-To: Ken Hornstein's message of "Thu, 04 May 2000 00:25:17 -0400"
From: Russ Allbery <rra@stanford.edu>
Date: 03 May 2000 21:41:14 -0700
Message-Id: <ylbt2nvset.fsf@windlord.stanford.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

>> Doing the authorization queries against an external database using the
>> Kerberos identity information as the key works.  We've widely deployed
>> it and related systems at Stanford for a variety of different
>> applications, and in fact using LDAP for this seems to scale even
>> better than a standard Kerberos server setup.  LDAP has real-time
>> replication, something akin to commits and rollbacks, changelogs that
>> can be replayed, and lots of other protocol infrastructure aimed at
>> solving the distribution, scaling, and replication problems even better
>> than Kerberos's support for multiple authentication servers.

> I feel I must point out that this is technically _not_ a feature of LDAP
> per se, but the LDAP implementations.  You could do the same things with
> Kerberos, and some of the commercial versions have done that; it's just
> that no one has (yet) spent the time & energy in the freeware Kerberos
> versions that are out there.

I was under the impression that the protocols for doing replication were
standardized, as was the import/export format (or at least being actively
worked on within the IETF).  I don't follow LDAP standardization closely,
though, so my apologies if I'm mistaken.

I certainly agree that this is possible in Kerberos (and Transarc has been
doing it with AFS's Kerberos implementation for a while), but developing a
client/server replication protocol would IMO be the first step of doing
that generally and with interoperability.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

home help back first fref pref prev next nref lref last post