[480] in Kerberos_Protocol

home help back first fref pref prev next nref lref last post

Re: Ticket extensions in Kerberos revisions

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu May 4 00:57:56 2000

Message-Id: <200005040457.AAA06209@ginger.cmf.nrl.navy.mil>
To: ietf-cat-wg@lists.Stanford.EDU, krb-protocol@MIT.EDU
In-Reply-To: Your message of "03 May 2000 21:41:14 PDT."
Date: Thu, 04 May 2000 00:57:34 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>> I feel I must point out that this is technically _not_ a feature of LDAP
>> per se, but the LDAP implementations.  You could do the same things with
>> Kerberos, and some of the commercial versions have done that; it's just
>> that no one has (yet) spent the time & energy in the freeware Kerberos
>> versions that are out there.
>I was under the impression that the protocols for doing replication were
>standardized, as was the import/export format (or at least being actively
>worked on within the IETF).  I don't follow LDAP standardization closely,
>though, so my apologies if I'm mistaken.

Certainly there is the LDUP working group, and they have a number of
Internet-Drafts out (but no RFCs AFAIK).  But AFAIK, none of it is
required to be implemented (please don't think I'm beating on the
LDAP guys, because they're certainly ahead of Kerberos in this

>I certainly agree that this is possible in Kerberos (and Transarc has been
>doing it with AFS's Kerberos implementation for a while), but developing a
>client/server replication protocol would IMO be the first step of doing
>that generally and with interoperability.

I'm not sure I can see a whole lot of value in being interoperable with
other vendors Kerberos servers; the database format tends to be very
server implementation-specific.  That's not a problem with LDAP, of
course :-)


home help back first fref pref prev next nref lref last post