On Fri, Sep 21, 2007 at 03:29:16PM -0500, John Hascall wrote: > > There are plenty of LDAP servers suitable for backending the KDC that > > support incremental and/or multi-master replication. > > That, I suppose, depends on your definition of "suitable". > It certainly isn't suitable to me. The size of the KDC > codebase is big enough to worry about, throwing something > like an entire LDAP server into the mix is a whole 'nother > kettle of fish.
Maybe. If you run the LDAP servers for the KDC backend such that only the KDCs can be clients of it, with proper packet filtering, then there won't be much room for new attack vectors. Whereas if you use an LDAP server infrastructure that's also used for other things, like name services, then you'd be exposing the KDCs to attack via hostile (p0wned) directory services. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
