On Wed, 2013-02-13 at 19:34 +0100, Ondrej Hamada wrote:
> Dne 13.2.2013 14:36, Simo Sorce napsal(a):
> > On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
> >> It looks like thinks are starting to boil down to building a Kerberos
> >> proxy.
> >> Is this something that fits within your thesis agenda Ondra?
> > I guess that's for Ondrej to say, if it is too much we can simply start
> > working on the LDAP/replication side with rekeying and what not, and
> > deal with the KDC part at a later time.
> > Simo.
> Working on the LDAP/repl side fits the thesis agenda better, so I would
> like to go that way.
> Rekeying - do you mean some sort of plugin for transporting the krb keys
> from masters to consumers?
> Besides securing transport of keys what else should be done in ldap?
> I've only partial replication in my mind - I mean replication of entries
> selected by some kind of ldap filters.
We would need to re-encrypt keys so that we do not need to hand off to
remote KDCs the same master key.
This way a compromise in a branch office replica would not compromise
the central infrastructure, but only affect the remote branch.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list