[OpenAFS] Some questions about the future of OpenAFS

[Derrick J Brashear]

On Mon, 22 Apr 2002, Tim Gaastra wrote:

> 1) Is there a time table for converting AFS to be a Kerberos V5 service?
> (I.E., no need for krb524d, no need to use asetkey to grab the Key from
> a keytab into the Keyfile but instead just using a keytab like other V5
> services, etc.)

For this to happen, Rx needs to be able to deal with krb5, and it can't
yet, though there has at least been progress down this path (actually,
GSSAPI, which gets you krb5). Further, pts should likely have a way to
deal with it, since existing sites won't want to have shadow/admin and
shadow.admin. There are doubtless other subtleties which will crop up. A
simple "just rename foo.bar to foo/bar and fix all the ACLs" would
probably be easier, but painful for any site which piggybacks anything on
pts.

> 3) What are the moral and technical objections to tying some of the
> databases (the ptserver, mostly, obviously this isn't the best idea for
> the VLDB) to a kerberized version of LDAP (by which I mean an LDAP that
> authenticates access via Kerberos)... "Why would anyone want to do
> this?" Well, the biggest reasons I can come up with is centralization of

Is there real time replication and floating master in OpenLDAP yet?
Throwing away functionality is something I find personally repugnant,
though in this vein I speak only for myself.

-D