On 2/28/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
... Although this is the attribute I use for my OpenLDAP directories, I will note that this attribute is not the part of any RFC standard. In fact, there is no RFC standardized way of storing Kerberos principals in a directory that I'm aware of. I raised this issue to MIT and Heimdal once, and apparently they are "working" on something. But that was several years ago. I certainly would ensure that this not be a hard-coded method of making SASL/GSSAPI work. The sasl-regexp bits from OpenLDAP are pretty handy in this area, you may wish to review them if you haven't yet.
I often lament that there isn't a standard suite of schemata suitable for an enterprise. To get the ball rolling, we reused the first Kerberos schema we found, the old krb5kdc.schema. We'll need something better soon. We did look around, for example at some work taking place at DMTF, but never found anything. A design effort would be great. Enrique
