Quoth [EMAIL PROTECTED] ("Booker C. Bense"):
...
| - There's nothing stopping these various ldap servers from
| sharing the same keytab. I can see some reasons for not wanting
| to do that, but the only compelling one to me is that if
| you don't trust the security of one of the servers.
| Other than that I can't see any real reason why the keytab
| can be shared. Anything else hints of using the naming
| of kerberos principals for authorization, and we all know
| how evil that is.
I seem to be too dense this morning to see how service principal
names could be authorization. I mean, with client principals it's
obvious enough, but I reckon that the service would be the one who
grants authorization, not the one who receives it, in at least the
typical use of service principals.
By extension, do you see any reason why all services should not just
use the "host" principal? That's not a sarcastic question - I think
the point could be argued, at least for services that all run as root
or have enough common privilege.
Donn Cave, [EMAIL PROTECTED]
