Re: LDAP and Heimdal

["Jacques A. Vidrine" <n@nectar.com>]

On Tue, Feb 06, 2001 at 04:30:47PM +0100, Jean-Eric Cuendet wrote:
> Hi,
> I'm using MIT kerberos at the moment but I'm interesting in letting 
> kerberos get its informations in LDAP.
> What's the status of LDAP + Heimdal? 

It works OK -- the KDC database can be stored in LDAP, and an entry
might look like this:
    
    dn: cn=user@example.com,dc=krb,dc=example,dc=com
    objectClass: top
    objectClass: person
    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    krb5PrincipalName: user@EXAMPLE.COM
    krb5KeyVersionNumber: 1
    krb5MaxLife: 86400
    krb5MaxRenew: 604800
    krb5KDCFlags: 126
    krb5Key:: MnYg2VMoqTu0TPqRhpWI1VPaZ7BDT2e6zXZdbD1aPqJaCYt4VxP0rXsNZ...
    krb5Key:: MnYg2VMoqTu0TPqRhpWI1VPaZ7BDT2e6zXZdbD1aPqJaCYt4VxP0rXsNZ...
    krb5Key:: MnYg2VMoqTu0TPqRhpWI1VPaZ7BDT2e6zXZdbD1aPqJaCYt4VxP0rXsNZ...
    krb5Key:: MnYg2VMoqTu0TPqRhpWI1VPaZ7BDT2e6zXZdbD1aPqJaCYt4VxP0rXsNZ...
    cn: user@example.com
    sn: user@example.com

The keys are encrypted using the KDC's master key.  Even so you don't
want their ciphertext to be generally available, so proceed with care.
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org