[28547] in Kerberos
Re: Kerberos OpenLDAP Frontend
daemon@ATHENA.MIT.EDU (g.w@hurderos.org)
Mon Oct 8 10:02:17 2007
Message-Id: <200710081401.l98E1fR1019489@wind.enjellic.com>
From: g.w@hurderos.org
Date: Mon, 8 Oct 2007 09:01:41 -0500
In-Reply-To: Simon Wilkinson <simon@sxw.org.uk>
"Re: Kerberos OpenLDAP Frontend" (Oct 5, 12:25pm)
To: Simon Wilkinson <simon@sxw.org.uk>,
Booker Bense <bbense@telemark.slac.stanford.edu>
Cc: kerberos@mit.edu
Reply-To: g.w@hurderos.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Oct 5, 12:25pm, Simon Wilkinson wrote:
} Subject: Re: Kerberos OpenLDAP Frontend
Good morning to everyone, hope your week is starting out well.
> On 4 Oct 2007, at 19:02, Booker Bense wrote:
>
> >
> > The only reason to put in a LDAP back end is to simplify the
> > account management
> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format,
> but you'd be able to access it through an overlay on your OpenLDAP
> server, which would translate LDAP actions into kadmin RPCs.
Its the most reasoned and secure approach available for integrating
Kerberos and LDAP.
I've started bolting together a backend to OpenLDAP to implement this
functionality. Its currently waiting for snow to overtake the
northern plains and force me off my bicycle and into the house in the
evenings... :-)
The main issue is an LDAP scheme to implement. There are some bits
and pieces floating around but nothing I would consider definitive
beyond what Novell implemented for the back-end project. Group
consensus on a suitable schema would be an important and enabling
first step.
> S.
Best wishes for a productive week.
}-- End of excerpt from Simon Wilkinson
As always,
Greg Wettstein
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
"We know that communication is a problem, but the company is not going
to discuss it with the employees."
-- Switching supervisor
AT&T Long Lines Division
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos