[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos+LDAP - identity management problems

To: Marius Olsthoorn <marius@kern.nl>, OpenLDAP-Software@OpenLDAP.org
Subject: Re: Kerberos+LDAP - identity management problems
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 01 Dec 2003 09:21:54 -0800
Content-disposition: inline
In-reply-to: <63409.217.170.42.254.1070033149.squirrel@webmail.kern.nl>
References: <63409.217.170.42.254.1070033149.squirrel@webmail.kern.nl>

--On Friday, November 28, 2003 4:25 PM +0100 Marius Olsthoorn <marius@kern.nl> wrote:

Most importently, applications cannot use the same
identity name for both authentication and querying
LDAP, since using LDAP for authentication is against
the spirit of Kerberos.


Marius,

Our answer is that we have an entire events system, and a global database called the 'registry' that has pretty much every bit of information on people we could ever want to hold. All changes get propagated into/out of the registry via events, and clients that receive events read the changes via an XML document server.

As far as applications, I'm not clear what your issue is. We create service principles (service/<appname>). We then use the k5start utility to get a kerberos ticket for that application. The application then uses that ticket to bind to the LDAP server and makes its query.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: Kerberos+LDAP - identity management problems
  - From: "Marius Olsthoorn" <marius@kern.nl>

Prev by Date: Re: 'quote-insensitive' search
Next by Date: Re: 'quote-insensitive' search
Index(es):
- Chronological
- Thread