In early May of this year, Paul Hill from MIT mentioned in a meeting that he was interested in providing admin access to the MIT K5 KDC via an ldap interface. This would solve many of our current problems in an elegant way. I was taken with this idea and spent some time investigating the possiblities. Here are my notes..

From my rather brief exploration, it seems that the easy part is actually shoving data in and out. It would be relatively straight forward to do this as a backend to the OpenLDAP version 2.0 ldap server. The hard part is when you come to data that is NOT in the KDC, but that you would like to admin via LDAP.

The most obvious of these is ACL's and coming up with a schema that supports the ACL's easily. There are almost too many choices of how to procede. In many ways it's very tempting to use the ldap server as an adjunct authority server to the authorization functions of the KDC.