Hi Greg,

On 3/1/07, g.w@hurderos.org <g.w@hurderos.org> wrote:
On Feb 28,  1:21pm, "Apache Directory Developers List" wrote:
} Subject: Re: [Kerberos] Kerberos + OpenLDAP

Good evening to everyone.

Good morning to you.

> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez
> <enriquer9@gmail.com> wrote:
> > Use 'ldap' for LDAP:
> > krb5PrincipalName: ldap/www.example.com@EXAMPLE.COM

> Although this is the attribute I use for my OpenLDAP directories, I
> will note that this attribute is not the part of any RFC standard.
> In fact, there is no RFC standardized way of storing Kerberos
> principals in a directory that I'm aware of.  I raised this issue to
> MIT and Heimdal once, and apparently they are "working" on
> something.  But that was several years ago.

The situation may have effectively changed now.

I hope so as Enrique described this schema we're now using is very limiting.

I'm polishing off the details of a kadmin back-end for OpenLDAP.  The
goal of this work is to be able to manage an MIT KDC implementation by
running an OpenLDAP server rather than kadmind on the KDC.  Putting
this into effective use requires some thought on how to develop an LDAP
based abstraction for a KDC entry.

Excellent.  Is this happening on some mailing list we can watch to see your progress or is this just things you're doing by yourself.  If you like, feel free to work it out here at Directory's dev list: if you think that will attract more people interested in these aspects.

I looked at a number of schema representations.  Its not an RFC but
the most logical abstraction to use seemed to be the schema which
Novell developed for the LDAP back-end to MIT Kerberos.  The 1.6
sources have the schema in the following location:


Is this in the MIT code base?

I believe some effort was placed into coordinating schema details
between Novell, SUN, MIT and Heimdal if I'm not mistaken.

I'm still sorting details but the schema seems to be sufficient to
support abstracting MIT kadmind functionality into an LDAP interface
definition.  Although mechanistically different ADS is essentially
faced with the problem of presenting the same type of abstraction.

Indeed.  Right now we have virtually no interface at all.  Basically we have filters
for generating keys for Kerberos entries that take effect on the import of such entries during startup.  Yeah it's not very useful as it stands.

At some point I wanted to develop a tool for doing this but time constraints did not permit it and after all the tool would have to leverage the Kerberos infrastructure via changepw to securely create accounts and administer them.

I think Enrique and I discussed the potential for this a while back.

It would seem logical for all these efforts to converge on a common
schema.  The above schema may be as good a place to start as any.

Yes the schema would give us another route through which we could effectively manage Kerberos accounts. 

I know a common schema is a good thing overall regardless of whether the changes are taking place via LDAP or via Changepw.  However are there any foreseeable disadvantages to using LDAP verses Changepw with this new schema or another?

Best wishes for a productive remainder of the week.

And to you as well.