directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: Kerberos Kadmin GUI
Date Thu, 21 Jun 2007 18:26:51 GMT
On 6/20/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
> Hi guys,
>
> IBM has recently released (27/4/2007) a Kerberos KAdmin GUI, a SWT
> implementation :
> http://www.alphaworks.ibm.com/tech/nasgui
>
> It seems to be an interesting tool, and I'm thinking we should have such
> a GUI in Apache Directory Studio.
>
> Wdyt ?

I think it would be great if AD Studio supported Kerberos
administration.  However, this IBM tool is using the Kadmin protocol,
which is specific to the MIT Kerberos implementation.  I think with
the protocols we have, we shouldn't support kadmin.  I, for one, won't
be putting any effort towards Kadmin.  You'll note the IBM tool is
using JNI to MIT's library.

You can get a feel for the basic Kerberos principal functions we need
from this Kadmin overview.

http://docs.hp.com/en/5991-7685/ch08s37.html

We can do most of what we need with the LDAP protocol and our X.500
ACI.  A few additional functions are covered by the upcoming
Set/Change Protocol v2, an update of the Change Password protocol.

As for timing, I think it makes sense to hold off a bit longer.  There
are 2 RFC's in the works:  (1) the aforementioned Set/Change Protocol
v2 and (2) a possible informative RFC regarding an LDAP schema for
Kerberos.  The new Set/Change Protocol adds some important key
management functions and the LDAP schema supports many more features
than our existing schema.  I think once implementation of these draft
RFC's has stabilized then we can look at adding GUI for principal
admin.  I was hoping to get to both of these later this year.

Enrique

Mime
View raw message