[OpenAFS] converting Kaserver and protection server to working with LDAP

Sam Hartman hartmans@mit.edu
04 Jun 2001 14:49:20 -0400

>>>>> "Derek" == Derek Atkins <warlord@MIT.EDU> writes:

    Derek> One thing to consider is that LDAP has little security,
    Derek> whereas the AFS Administration tools, which use RX, have
    Derek> Kerberos-based security of all operations.  

This is false.  LDAP uses SASL and works great with the GSSAPI SASL
mechanism for Kerberos.

If I were working on this project, I would probably develop an LDAP
schema for ptserver, and then write a replacement ptserver that talked
to an LDAP server rather than to its own database.  I'm not at all
convinced this would be a good idea, but it would at least be

I would not do the same thing for kaserver.  I would first read the
arguments on ietf-krb-wg@anl.gov and kerberos@mit.edu about why you
shouldn't use LDAP for Kerberos.  If I were still convinced I wanted
LDAP for Kerberos, I would work on getting Heimdal to support IBM's
Kerberos LDAP schema.  Heimdal does have LDAP support but I'm not sure the schema matches the latest Internet draft.