--On Thursday, March 01, 2007 12:09 AM -0600 [EMAIL PROTECTED] wrote:
On Feb 28, 1:21pm, "Apache Directory Developers List" wrote:
} Subject: Re: [Kerberos] Kerberos + OpenLDAP
Good evening to everyone.
--On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
<[EMAIL PROTECTED]> wrote:
> Use 'ldap' for LDAP:
> krb5PrincipalName: ldap/[EMAIL PROTECTED]
Although this is the attribute I use for my OpenLDAP directories, I
will note that this attribute is not the part of any RFC standard.
In fact, there is no RFC standardized way of storing Kerberos
principals in a directory that I'm aware of. I raised this issue to
MIT and Heimdal once, and apparently they are "working" on
something. But that was several years ago.
The situation may have effectively changed now.
I'm polishing off the details of a kadmin back-end for OpenLDAP. The
goal of this work is to be able to manage an MIT KDC implementation by
running an OpenLDAP server rather than kadmind on the KDC. Putting
this into effective use requires some thought on how to develop an LDAP
based abstraction for a KDC entry.
I looked at a number of schema representations. Its not an RFC but
the most logical abstraction to use seemed to be the schema which
Novell developed for the LDAP back-end to MIT Kerberos. The 1.6
sources have the schema in the following location:
krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
I believe some effort was placed into coordinating schema details
between Novell, SUN, MIT and Heimdal if I'm not mistaken.
Greg,
Thanks for the update. It would be nice to see such a schema RFC tracked
so that it gets included by default with various LDAP providers.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
