+1 to that! On 3/1/07, Quanah Gibson-Mount wrote: > > > > --On Thursday, March 01, 2007 12:09 AM -0600 g.w@hurderos.org wrote: > > > On Feb 28, 1:21pm, "Apache Directory Developers List" wrote: > > } Subject: Re: [Kerberos] Kerberos + OpenLDAP > > > > Good evening to everyone. > > > >> --On Tuesday, February 27, 2007 6:34 PM -0800 Enrique Rodriguez > >> wrote: > >> > >> > Use 'ldap' for LDAP: > >> > krb5PrincipalName: ldap/www.example.com@EXAMPLE.COM > > > >> Although this is the attribute I use for my OpenLDAP directories, I > >> will note that this attribute is not the part of any RFC standard. > >> In fact, there is no RFC standardized way of storing Kerberos > >> principals in a directory that I'm aware of. I raised this issue to > >> MIT and Heimdal once, and apparently they are "working" on > >> something. But that was several years ago. > > > > The situation may have effectively changed now. > > > > I'm polishing off the details of a kadmin back-end for OpenLDAP. The > > goal of this work is to be able to manage an MIT KDC implementation by > > running an OpenLDAP server rather than kadmind on the KDC. Putting > > this into effective use requires some thought on how to develop an LDAP > > based abstraction for a KDC entry. > > > > I looked at a number of schema representations. Its not an RFC but > > the most logical abstraction to use seemed to be the schema which > > Novell developed for the LDAP back-end to MIT Kerberos. The 1.6 > > sources have the schema in the following location: > > > > krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema > > > > I believe some effort was placed into coordinating schema details > > between Novell, SUN, MIT and Heimdal if I'm not mistaken. > > Greg, > > Thanks for the update. It would be nice to see such a schema RFC tracked > so that it gets included by default with various LDAP providers. > > --Quanah > > -- > Quanah Gibson-Mount > Principal Software Developer > ITS/Shared Application Services > Stanford University > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html >