in Kerberos_Protocol
Re: Ticket extensions in Kerberos revisions
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu May 4 00:41:30 2000
To: ietf-cat-wg@lists.Stanford.EDU, krb-protocol@MIT.EDU
In-Reply-To: Ken Hornstein's message of "Thu, 04 May 2000 00:25:17 -0400"
From: Russ Allbery <email@example.com>
Date: 03 May 2000 21:41:14 -0700
Content-Type: text/plain; charset=us-ascii
Ken Hornstein <firstname.lastname@example.org> writes:
>> Doing the authorization queries against an external database using the
>> Kerberos identity information as the key works. We've widely deployed
>> it and related systems at Stanford for a variety of different
>> applications, and in fact using LDAP for this seems to scale even
>> better than a standard Kerberos server setup. LDAP has real-time
>> replication, something akin to commits and rollbacks, changelogs that
>> can be replayed, and lots of other protocol infrastructure aimed at
>> solving the distribution, scaling, and replication problems even better
>> than Kerberos's support for multiple authentication servers.
> I feel I must point out that this is technically _not_ a feature of LDAP
> per se, but the LDAP implementations. You could do the same things with
> Kerberos, and some of the commercial versions have done that; it's just
> that no one has (yet) spent the time & energy in the freeware Kerberos
> versions that are out there.
I was under the impression that the protocols for doing replication were
standardized, as was the import/export format (or at least being actively
worked on within the IETF). I don't follow LDAP standardization closely,
though, so my apologies if I'm mistaken.
I certainly agree that this is possible in Kerberos (and Transarc has been
doing it with AFS's Kerberos implementation for a while), but developing a
client/server replication protocol would IMO be the first step of doing
that generally and with interoperability.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>