[19085] in Kerberos
Re: Kerberos Backend for LDAP
daemon@ATHENA.MIT.EDU (Matthew Smith)
Wed Apr 16 16:04:49 2003
Date: Wed, 16 Apr 2003 15:52:19 -0400
From: Matthew Smith <matt@forsetti.com>
Message-ID: <3e9db47c@news0.ucc.uconn.edu>
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
Booker Bense wrote:
> On Tue, 15 Apr 2003, Sam Hartman wrote:
>
>
>>>>>>>"Booker" == Booker Bense <bbense@SLAC.Stanford.EDU> writes:
>>
>> Booker> - There are quite a few people that think this kind of
>> Booker> setup would be a good idea. It would help in a lot of
>> Booker> areas in which kerberos is currently very weak or has
>> Booker> missing standards. Probably the biggest benefit would be
>> Booker> a standardized admin interface and an incremental
>> Booker> replication protocol. Although since LDAP lacks record
>> Booker> locking, you'd have to be a bit careful.
>>
>>I don't think you can get both from the same approach.
>
>
> - I don't follow the logic here, but since nobody's working on it
> I think it's a dead issue. If I can add/change/delete entries as
> an admin, why can't I do it as a program? I've implemented such
> an approach between K4 and K5, I don't see why it wouldn't work
> between K5 and K5? It does require a single choke point and a
> queueing system of some sort.
>
>
>>And I'm not
>>convinced that LDAP replication is really enough for Kerberos's needs.
>>
>
>
> - As opposed to kprop? Outside of a perhaps increased security
> level what requirements does kerberos have that LDAP doesn't? Of
> course there is the gotcha that there is no current LDAP
> replication standard, but at least one is in the works.
> At sites deploying both MIT and W2k, ldap is already the defacto
> replication standard.
>
> - Booker C. Bense
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Disclaimer: I will admit, right off the bat, that I am not very familiar
with OpenLDAP.
If there was a back-krb5 for OpenLDAP, would an unmodified slurpd be
able to replicate the krb info, since slurpd just sees it as LDAP info?
Does slurpd use the LDAP interface for obtaining data to replicate, or
does it tie in somewhere behind the scenes?
-Matt
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
