No, I'm not talking about using LDAP to store the back-end for a KDC. I'm wondering if there are any thoughts or wisdom related to RFC 2307 (or successors) about how to store meta-information about Kerberos principals. That RFC defines schema's for "machines" and things with IP numbers. I also need to associate an "owner" for non-people principals.
Probably incomplete list of information needed for non-people principals: Owner (either a uid for a given search base, or else a real-person principal) Backup Owner (in case the primary vanishes) Renewal Date (so we can clean up, and maybe rotate keys) Maybe a reference to the machine entry, if it isn't part of the machine entry already. For a machine, maybe a list of service principals extant? Excuse the stream-of-consciousness presentation. Trying to put this in more formal requirements: A machine may have multiple IP numbers. An IP number may have multiple service principals. A service principal has (at least) an owner, backup owner, and renewal date. (Maybe some duplicated info from the Kerberos DB.) A service principal may be used to bind to LDAP (to get info about users). Are there any standard object classes (besides what's in 2307) that I might use? Any suggestions, comments? ------------------------------------------------------------------------ ---- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
