[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kerberos and ldap: Standards?
|
From: |
Simon Josefsson |
|
Subject: |
Re: kerberos and ldap: Standards? |
|
Date: |
Fri, 21 Apr 2006 17:10:26 +0200 |
|
User-agent: |
Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux) |
Elrond <address@hidden> writes:
> Just to repeat the initial words of my initial mail (more
> or less):
> This is off-topic.
> This is not about shishi or shisa. (at least not in the
> first place.)
> I probably should have gone to a general purpose kerberos
> list with the question.
>
> My usage case is Samba-TNG. It interfaces with two and
> probably next with three worlds: Unix, Windows, and
> Kerberos (the last is coming very slowly).
>
> Our premier backend for storage of meta-data is ldap.
>
> To cleanly map the three worlds, we need mapping functions.
> They can either be algorithmic ("if we don't know, use
> realm HOMEREALM") or listed mappings as the example above
> wants to illustrate.
>
> Despite sql, where everybody can create a new table with
> their own schema, ldap is requiring more standardisation,
> so that people can play with each other.
>
> So I was looking for the right standards.
Ah, I see what you mean. I'm not sure there is a standard for
something like that using ldap.
You could do all this on the KDC, to hide the details from the
clients. It seems hard to solve this on the clients, which may not be
authenticated yet. With the file backend, to create an alias for a
user is nothing more than to hardlink or symlink the file for that
user.
I think Microsoft uses "referrals" for similar problems, but I haven't
followed this work closely:
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-07.txt
/Simon