An LDAP Schema for Kerberos KDC Information
Symas Corp.
This document describes an LDAP [RFC4511] schema for implementing the Kerberos 5 [RFC4120] KDC Information Model [I-D.ietf-krb-wg-kdc-model]. It also defines additional elements which are not covered by the Information Model, but are already in common use.1. Background and Motivation Both Kerberos and LDAP are frequently used separately for distributed authentication. They can also be used in combination, but typically their user databases remained separate. This distinction in databases causes unnecessary duplication of data and administration overhead. As such it is desirable for both systems to share a single database. Since the LDAP data model is more general it is most appropriate to store the Kerberos data in LDAP. A number of Kerberos implementations already have support for using LDAP as their KDC backing store. However, each implementation uses its own schema, and the multiple schemas are mutually incompatible. For the sake of interoperability and administrative ease, it is important to define a single standard schema that can be used uniformly by all Kerberos KDC implementations and interoperates with existing LDAP specifications.2. General Issues