[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos+LDAP - identity management problems


I know the problem has been discussed before, but I just
can't seem to find a satisfiable solution.

It seems that in 'the ideal setting', OpenLDAP is used
for the identity database and Kerberos is used for the
authentication service. The thing that bothers me is that
in this setting there are actually two identity databases,
since the priciples in the kerberos database can be
viewed as identities. This has several consequences.

There can only be a one-way mapping between the two
identity databases, since only OpenLDAP has a way of
mapping its identities (the dn's) to Kerberos principles.

Identity management (adding/modifying/deleting)
identities has to be done by a 3rd system, which keeps
the databases in sync.

Most importently, applications cannot use the same
identity name for both authentication and querying
LDAP, since using LDAP for authentication is against
the spirit of Kerberos.

How do people with working systems look at this problem?
Am I making sence? Are there any workarounds?

Marius Olsthoorn