[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos andDIGEST-MD5)

On Thursday, July 29, 2004, at 04:12 PM, Quanah Gibson-Mount wrote:
We wrote our own utility that downloads the keys over an encrypted channel to the target system. It validates the calls using the user's Kerberos principal. It allows for multiple people to be on the ACL for a keytab, and it allows for multiple groups (which can contain multiple people) to be on the ACL for a keytab.

How about that, that's what we did, too (everything but the groups), has been running for years. LDAP isn't involved.

I don't know what Heimdal's solution looks like.  It's plausible
that they would have one, because it's a real need with a big site.
I think there might be a way to do it with just LDAP, and a special
OpenLDAP back end - it actually might be a kind of interesting idea
here, the way things are going.  I don't see any reason it would
have to be strongly dependent on how the KDC is implemented - MIT
or Heimdal, LDAP or db, etc.  I think the main issue would be the
security of this LDAP service, given its potential liabilities for
the security of other services - not that it can't be done, it's
just something that would need to be thought about.

	Donn Cave, donn@u.washington.edu