I guess as long as we have a convenient mechanism for adding, removing and updating Kerberos users and passwords then we should be OK. How this is done is not that important right now, but may be from a security perspective. As long as SASL and SSL are being used via LDAP we can trust such operations in production environments.
I don't know if the state of the changepw protocol with the new capabilities you mentioned are even viable right now but perhaps they will be later in which case we can enable 2 separate mechanisms for managing Kerberos users. Alex On 6/22/07, Enrique Rodriguez <[EMAIL PROTECTED]> wrote:
On 6/21/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote: > Enrique Rodriguez a écrit : > > ... > > We can do most of what we need with the LDAP protocol and our X.500 > > ACI. > > Sure, but I think a GUI is great to have to avoid complex manipulation > of such elements. We already have an ACI editor in Apache Directory > Studio, we just need a specific interface for Kerberos admin, I guess. I agree. I don't think users should have to directly manipulate attributes and know ACI syntax. A tool would be great. My point was more that the protocol to do this with should be LDAP and not Kadmin. > ... > Can we have a status for those RFCs and drafts ? I will start one here: http://cwiki.apache.org/confluence/display/DIRxSBOX/Kerberos+RFC+Support Enrique
