which Kerberos implementation?
On Sat, Apr 24, 2010 at 09:52:49PM +0200, Petter Reinholdtsen wrote:
> [Petter Reinholdtsen]
> Not sure which Kerberos implementation we should use. Reading
> <URL: http://grep.be/blog/en/lazyweb/re_kerberos_ldap > make me
> suspect Heimdal Kerberos might be a better choice than MIT Kerberos,
> as it has had support for storing principals in LDAP for a long time.
I am just looking at http://www.h5l.org/manual/HEAD/info/heimdal/Using-LDAP-to-store-the-database.html#Using-LDAP-to-store-the-database
and there it states:
Since Heimdal talks to the LDAP server over a UNIX domain socket, and
uses external sasl authentication, it's not possible to require
security layer quality (ssf in cyrus-sasl lingo). So that requirement
has to be turned off in OpenLDAP slapd configuration file slapd.conf.
Does this mean we can't split ldap-server and kdc-server? Or is this a
bad idea anyway?