directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [Kerberos] Kerberos + OpenLDAP
Date Thu, 01 Mar 2007 16:45:56 GMT
Hi Greg,

On 3/1/07, g.w@hurderos.org <g.w@hurderos.org> wrote:
>
> On Feb 28,  1:21pm, "Apache Directory Developers List" wrote:
> } Subject: Re: [Kerberos] Kerberos + OpenLDAP
>
> Good evening to everyone.


Good morning to you.

> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
> > <enriquer9@gmail.com> wrote:
> >
> > > Use 'ldap' for LDAP:
> > > krb5PrincipalName: ldap/www.example.com@EXAMPLE.COM
>
> > Although this is the attribute I use for my OpenLDAP directories, I
> > will note that this attribute is not the part of any RFC standard.
> > In fact, there is no RFC standardized way of storing Kerberos
> > principals in a directory that I'm aware of.  I raised this issue to
> > MIT and Heimdal once, and apparently they are "working" on
> > something.  But that was several years ago.
>
> The situation may have effectively changed now.


I hope so as Enrique described this schema we're now using is very limiting.


I'm polishing off the details of a kadmin back-end for OpenLDAP.  The
> goal of this work is to be able to manage an MIT KDC implementation by
> running an OpenLDAP server rather than kadmind on the KDC.  Putting
> this into effective use requires some thought on how to develop an LDAP
> based abstraction for a KDC entry.


Excellent.  Is this happening on some mailing list we can watch to see your
progress or is this just things you're doing by yourself.  If you like, feel
free to work it out here at Directory's dev list: if you think that will
attract more people interested in these aspects.

I looked at a number of schema representations.  Its not an RFC but
> the most logical abstraction to use seemed to be the schema which
> Novell developed for the LDAP back-end to MIT Kerberos.  The 1.6
> sources have the schema in the following location:
>
> krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema


Is this in the MIT code base?

I believe some effort was placed into coordinating schema details
> between Novell, SUN, MIT and Heimdal if I'm not mistaken.
>
> I'm still sorting details but the schema seems to be sufficient to
> support abstracting MIT kadmind functionality into an LDAP interface
> definition.  Although mechanistically different ADS is essentially
> faced with the problem of presenting the same type of abstraction.


Indeed.  Right now we have virtually no interface at all.  Basically we have
filters
for generating keys for Kerberos entries that take effect on the import of
such entries during startup.  Yeah it's not very useful as it stands.

At some point I wanted to develop a tool for doing this but time constraints
did not permit it and after all the tool would have to leverage the Kerberos
infrastructure via changepw to securely create accounts and administer them.

I think Enrique and I discussed the potential for this a while back.

It would seem logical for all these efforts to converge on a common
> schema.  The above schema may be as good a place to start as any.


Yes the schema would give us another route through which we could
effectively manage Kerberos accounts.

I know a common schema is a good thing overall regardless of whether the
changes are taking place via LDAP or via Changepw.  However are there any
foreseeable disadvantages to using LDAP verses Changepw with this new schema
or another?

>
> Best wishes for a productive remainder of the week.


And to you as well.

Alex

Mime
View raw message