Re: Kerberos+LDAP - identity management problems

["Marius Olsthoorn" <marius@kern.nl>]

Thanks,

> --On Friday, November 28, 2003 4:25 PM +0100 Marius Olsthoorn
> <marius@kern.nl> wrote:
>
>
>> Most importently, applications cannot use the same
>> identity name for both authentication and querying
>> LDAP, since using LDAP for authentication is against
>> the spirit of Kerberos.
>
> Marius,
>
> Our answer is that we have an entire events system, and a global database
> called the 'registry' that has pretty much every bit of information on
> people we could ever want to hold.  All changes get propagated into/out of
> the registry via events, and clients that receive events read the changes
> via an XML document server.
>

It seems like a nice system, although you have to maintain everything
yourself.

> As far as applications, I'm not clear what your issue is.  We create
> service principles (service/<appname>).  We then use the k5start utility to
>  get a kerberos ticket for that application.  The application then uses
> that  ticket to bind to the LDAP server and makes its query.

Sorry if I wasn't clear on this. I was aiming at applications which have
to authenticate users and use user data. They have to use one identity in
two 'namespaces'. The first being Kerberos, the second being LDAP. Since
there is no explicit mapping between the two you might run into problems.
However, I guess you could use an implicit mapping (a convention). But then
you have to hardcode the convention in your applications, which is usually
a bad idea.

Marius Olsthoorn