> > You don't need two databases. Both heimdal and MIT current versions > > allow LDAP as "database" for credentials so you have a single > > database. I've not used MIT, but I've been using heimdal-ldap for a > > long time without problems. > > This is true. I'm doing the same with heimdal as you. But if there are > security concerns about storing kerberos credentials in LDAP, then you > need 2 databases. A KDC doesn't store other things than credentials in > its native database.
Having encrypted keys (mkey_file) and strict ACL for ldap access covers online and backup security. And as root can read everything that's enough for me. Javier Palacios ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
