[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos+LDAP - identity management problems

--On Friday, November 28, 2003 4:25 PM +0100 Marius Olsthoorn <marius@kern.nl> wrote:

Most importently, applications cannot use the same
identity name for both authentication and querying
LDAP, since using LDAP for authentication is against
the spirit of Kerberos.


Our answer is that we have an entire events system, and a global database called the 'registry' that has pretty much every bit of information on people we could ever want to hold. All changes get propagated into/out of the registry via events, and clients that receive events read the changes via an XML document server.

As far as applications, I'm not clear what your issue is. We create service principles (service/<appname>). We then use the k5start utility to get a kerberos ticket for that application. The application then uses that ticket to bind to the LDAP server and makes its query.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html