+1 to that! On 3/1/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
--On Thursday, March 01, 2007 12:09 AM -0600 [EMAIL PROTECTED] wrote: > On Feb 28, 1:21pm, "Apache Directory Developers List" wrote: > } Subject: Re: [Kerberos] Kerberos + OpenLDAP > > Good evening to everyone. > >> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez >> <[EMAIL PROTECTED]> wrote: >> >> > Use 'ldap' for LDAP: >> > krb5PrincipalName: ldap/[EMAIL PROTECTED] > >> Although this is the attribute I use for my OpenLDAP directories, I >> will note that this attribute is not the part of any RFC standard. >> In fact, there is no RFC standardized way of storing Kerberos >> principals in a directory that I'm aware of. I raised this issue to >> MIT and Heimdal once, and apparently they are "working" on >> something. But that was several years ago. > > The situation may have effectively changed now. > > I'm polishing off the details of a kadmin back-end for OpenLDAP. The > goal of this work is to be able to manage an MIT KDC implementation by > running an OpenLDAP server rather than kadmind on the KDC. Putting > this into effective use requires some thought on how to develop an LDAP > based abstraction for a KDC entry. > > I looked at a number of schema representations. Its not an RFC but > the most logical abstraction to use seemed to be the schema which > Novell developed for the LDAP back-end to MIT Kerberos. The 1.6 > sources have the schema in the following location: > > krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema > > I believe some effort was placed into coordinating schema details > between Novell, SUN, MIT and Heimdal if I'm not mistaken. Greg, Thanks for the update. It would be nice to see such a schema RFC tracked so that it gets included by default with various LDAP providers. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
