I guess as long as we have a convenient mechanism for adding, removing and
updating Kerberos users and passwords then we should be OK.  How this is
done is not that important right now, but may be from a security perspective.
As long as SASL and SSL are being used via LDAP we can trust such operations
in production environments.

I don't know if the state of the changepw protocol with the new capabilities you
mentioned are even viable right now but perhaps they will be later in which case
we can enable 2 separate mechanisms for managing Kerberos users.


On 6/22/07, Enrique Rodriguez < enriquer9@gmail.com> wrote:
On 6/21/07, Emmanuel Lecharny < elecharny@apache.org> wrote:
> Enrique Rodriguez a écrit :
> > ...
> > We can do most of what we need with the LDAP protocol and our X.500
> > ACI.
> Sure, but I think a GUI is great to have to avoid complex manipulation
> of such elements. We already have an ACI editor in Apache Directory
> Studio, we just need a specific interface for Kerberos admin, I guess.

I agree.  I don't think users should have to directly manipulate
attributes and know ACI syntax.  A tool would be great.  My point was
more that the protocol to do this with should be LDAP and not Kadmin.

> ...
> Can we have a status for those RFCs and drafts ?

I will start one here: