directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksander Adamowski" <>
Subject Implementing Kerberos on top of LDAP extended operations
Date Sat, 10 Jan 2009 16:28:21 GMT

I'm working on my master's thesis and the subject I've chosen is
researching the viability of integrating Kerberos and LDAP on protocol
level to eliminate the disparity between them.

The problems resulting from disparate protocols for authentication
(Kerberos) and authorization and generic data access in a directory
(LDAP), encountered during deployment of various LDAP and Kerberos
implementation, have led me to believe that the separation of Kerberos
from LDAP is an artificial result of history of both protocol's
development and it actually hurts the adoption of both.

The solution in my opinion is to make use of LDAP protocol's
extensibility and implement all Kerberos operations on top of LDAP
using its extended operations mechanism. This way we'd eliminate need
to support differing carrier protocol working on different ports,
using different data structures/encodings.

Using a common database would be much easier as the protocols would
have to be implemented in the single codebase, instead of being
supported by separate products from different teams (like e.g. MIT Krb
5 + OpenLDAP).
This of course has already been accomplished by you in the Apache DS
project - however, I think one step further could be taken in the
integration, namely elimination of separate network protocols.

I've written a blog post on this subject over a year ago
( - since then the idea has evolved a
bit in my head. However, I'd be interested about your opinion about it
before I move to work on it in full scale.

I plan to develop specifications for the new LDAP protocol extensions,
to be published in RFC-compatible form, then I'd like to develop a
proof of concept server-side implementation (based on Apache DS
because of its well thought out architecture) and client-side
implementation (possibly a PAM authentication module).

So what do you think of this idea? Can I count on advice and pointers
when developing relevant interceptors for Apache DS?

Best Regards,
  Aleksander Adamowski

View raw message