[17420] in Kerberos_V5_Development
PKINIT and DN Mapping support in MIT kerberos
daemon@ATHENA.MIT.EDU (Matthieu Hautreux)
Wed Nov 23 06:02:58 2011
MIME-Version: 1.0
Date: Wed, 23 Nov 2011 12:02:52 +0100
Message-ID: <CAChPGiBfkGZ514c7SX6gxfoBzU1kThhMc8STn1zPRJggpmOtPA@mail.gmail.com>
From: Matthieu Hautreux <matthieu.hautreux@gmail.com>
To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi,
I do not know if this is the good list or if I should use the kerberos
standard list. Please tell me if you think I should send that to the
other one.
I would like to set up a PKINIT enabled kerberos server in order to
glue multiple x509 PKIs with a single kerberos REALM. The PKIs were
created prior to any considerations of using PKINIT and thus do not
comform to the PKINIT RFC (SAN/EKU). As a result, I need to have a
mapping between x509 DN and associated principal(s). Looking at the
code and the svn, it seems that a dn_mapping_file was introduced in
the configuration structure in 2007 but the logic was not implemented
at that time and is still not present.
I would like to know if it is something that is planned for the future
or you see issues with such a feature that prevent from adding it in
the main branch. Without such a feature, I do not see how to manage
PKINIT, do you see an alternative ? I am currently thinking about an
heimdal slave for that purpose as heimdal provides this mapping
feature but I would rather use the MIT version.
Thanks in advance for your help
Regards,
Matthieu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
