[28460] in Kerberos
Re: MIT Incremental Propagation
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Fri Sep 21 16:54:28 2007
Date: Fri, 21 Sep 2007 15:54:08 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: John Hascall <john@iastate.edu>
Message-ID: <20070921205407.GS7312@Sun.COM>
Mail-Followup-To: John Hascall <john@iastate.edu>,
jaltman@secure-endpoints.com, harris@ucdavis.edu, kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <32047.1190406556@malison.ait.iastate.edu>
Cc: harris@ucdavis.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Sep 21, 2007 at 03:29:16PM -0500, John Hascall wrote:
> > There are plenty of LDAP servers suitable for backending the KDC that
> > support incremental and/or multi-master replication.
>
> That, I suppose, depends on your definition of "suitable".
> It certainly isn't suitable to me. The size of the KDC
> codebase is big enough to worry about, throwing something
> like an entire LDAP server into the mix is a whole 'nother
> kettle of fish.
Maybe. If you run the LDAP servers for the KDC backend such that only
the KDCs can be clients of it, with proper packet filtering, then there
won't be much room for new attack vectors.
Whereas if you use an LDAP server infrastructure that's also used for
other things, like name services, then you'd be exposing the KDCs to
attack via hostile (p0wned) directory services.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos