[28537] in Kerberos
Re: Kerberos OpenLDAP Frontend
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Oct 5 14:55:22 2007
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <3D772DDA-5C28-447D-B660-832C2F8B580E@sxw.org.uk> (Simon
Wilkinson's message of "Fri, 5 Oct 2007 12:25:43 +0100")
Date: Fri, 05 Oct 2007 11:54:55 -0700
Message-ID: <87641ll7cw.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simon Wilkinson <simon@sxw.org.uk> writes:
> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format, but
> you'd be able to access it through an overlay on your OpenLDAP server,
> which would translate LDAP actions into kadmin RPCs.
Having done a bit of Active Directory munging over LDAP, I don't think
LDAP makes a very appealing kadmin protocol, although it may be better
with a better data model than Active Directory offers. (Separating flags
out into separate attributes, for example, rather than using a bitmask in
one attribute.)
LDAP is an extremely heavy-weight and complex protocol, although it does
have the advantage of having stable libraries and a reasonable
authentication structure.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos