On Oct 5, 12:25pm, Simon Wilkinson wrote:
} Subject: Re: Kerberos OpenLDAP Frontend

Good morning to everyone, hope your week is starting out well.

> On 4 Oct 2007, at 19:02, Booker Bense wrote:
> >
> > The only reason to put in a LDAP back end is to simplify the
> > account management

> One thing I keep thinking about implementing is an LDAP->kadmin
> proxy. You'd still have the KDC database in the current DB format,
> but you'd be able to access it through an overlay on your OpenLDAP
> server, which would translate LDAP actions into kadmin RPCs.

Its the most reasoned and secure approach available for integrating
Kerberos and LDAP.

I've started bolting together a backend to OpenLDAP to implement this
functionality. Its currently waiting for snow to overtake the
northern plains and force me off my bicycle and into the house in the
evenings... :-)

The main issue is an LDAP scheme to implement. There are some bits
and pieces floating around but nothing I would consider definitive
beyond what Novell implemented for the back-end project. Group
consensus on a suitable schema would be an important and enabling
first step.

> S.

Best wishes for a productive week.

}-- End of excerpt from Simon Wilkinson

As always,
Greg Wettstein

The Hurderos Project
Open Identity, Service and Authorization Management

"We know that communication is a problem, but the company is not going
to discuss it with the employees."
-- Switching supervisor
AT&T Long Lines Division