directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [Kerberos] Kerberos + OpenLDAP
Date Thu, 01 Mar 2007 18:41:29 GMT
+1 to that!

On 3/1/07, Quanah Gibson-Mount <quanah@stanford.edu> wrote:
>
>
>
> --On Thursday, March 01, 2007 12:09 AM -0600 g.w@hurderos.org wrote:
>
> > On Feb 28,  1:21pm, "Apache Directory Developers List" wrote:
> > } Subject: Re: [Kerberos] Kerberos + OpenLDAP
> >
> > Good evening to everyone.
> >
> >> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
> >> <enriquer9@gmail.com> wrote:
> >>
> >> > Use 'ldap' for LDAP:
> >> > krb5PrincipalName: ldap/www.example.com@EXAMPLE.COM
> >
> >> Although this is the attribute I use for my OpenLDAP directories, I
> >> will note that this attribute is not the part of any RFC standard.
> >> In fact, there is no RFC standardized way of storing Kerberos
> >> principals in a directory that I'm aware of.  I raised this issue to
> >> MIT and Heimdal once, and apparently they are "working" on
> >> something.  But that was several years ago.
> >
> > The situation may have effectively changed now.
> >
> > I'm polishing off the details of a kadmin back-end for OpenLDAP.  The
> > goal of this work is to be able to manage an MIT KDC implementation by
> > running an OpenLDAP server rather than kadmind on the KDC.  Putting
> > this into effective use requires some thought on how to develop an LDAP
> > based abstraction for a KDC entry.
> >
> > I looked at a number of schema representations.  Its not an RFC but
> > the most logical abstraction to use seemed to be the schema which
> > Novell developed for the LDAP back-end to MIT Kerberos.  The 1.6
> > sources have the schema in the following location:
> >
> > krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
> >
> > I believe some effort was placed into coordinating schema details
> > between Novell, SUN, MIT and Heimdal if I'm not mistaken.
>
> Greg,
>
> Thanks for the update.  It would be nice to see such a schema RFC tracked
> so that it gets included by default with various LDAP providers.
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITS/Shared Application Services
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>

Mime
View raw message