[28547] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos OpenLDAP Frontend

daemon@ATHENA.MIT.EDU (g.w@hurderos.org)
Mon Oct 8 10:02:17 2007

Message-Id: <200710081401.l98E1fR1019489@wind.enjellic.com>
From: g.w@hurderos.org
Date: Mon, 8 Oct 2007 09:01:41 -0500
In-Reply-To: Simon Wilkinson <simon@sxw.org.uk>
	"Re: Kerberos OpenLDAP Frontend" (Oct  5, 12:25pm)
To: Simon Wilkinson <simon@sxw.org.uk>,
   Booker Bense <bbense@telemark.slac.stanford.edu>
Cc: kerberos@mit.edu
Reply-To: g.w@hurderos.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Oct 5, 12:25pm, Simon Wilkinson wrote:
} Subject: Re: Kerberos OpenLDAP Frontend

Good morning to everyone, hope your week is starting out well.

> On 4 Oct 2007, at 19:02, Booker Bense wrote:
> 
> >
> > The only reason to put in a LDAP back end is to simplify the
> > account management

> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format,
> but you'd be able to access it through an overlay on your OpenLDAP
> server, which would translate LDAP actions into kadmin RPCs.

Its the most reasoned and secure approach available for integrating
Kerberos and LDAP.

I've started bolting together a backend to OpenLDAP to implement this
functionality.  Its currently waiting for snow to overtake the
northern plains and force me off my bicycle and into the house in the
evenings... :-)

The main issue is an LDAP scheme to implement.  There are some bits
and pieces floating around but nothing I would consider definitive
beyond what Novell implemented for the back-end project.  Group
consensus on a suitable schema would be an important and enabling
first step.

> S.

Best wishes for a productive week.

}-- End of excerpt from Simon Wilkinson

As always,
Greg Wettstein

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"We know that communication is a problem, but the company is not going
 to discuss it with the employees."
				-- Switching supervisor
				   AT&T Long Lines Division
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post