directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject Re: [Kerberos] Kerberos + OpenLDAP
Date Thu, 01 Mar 2007 00:18:33 GMT
On 2/28/07, Quanah Gibson-Mount <> wrote:
> ...
> Although this is the attribute I use for my OpenLDAP directories, I will
> note that this attribute is not the part of any RFC standard.  In fact,
> there is no RFC standardized way of storing Kerberos principals in a
> directory that I'm aware of.  I raised this issue to MIT and Heimdal once,
> and apparently they are "working" on something.  But that was several years
> ago.  I certainly would ensure that this not be a hard-coded method of
> making SASL/GSSAPI work.  The sasl-regexp bits from OpenLDAP are pretty
> handy in this area, you may wish to review them if you haven't yet.

I often lament that there isn't a standard suite of schemata suitable
for an enterprise.  To get the ball rolling, we reused the first
Kerberos schema we found, the old krb5kdc.schema.  We'll need
something better soon.  We did look around, for example at some work
taking place at DMTF, but never found anything.  A design effort would
be great.


View raw message