>Kerberos is not a complete identity solution. You would also need to >expose the LDAP p[ao]rt which parcels out a few user attributes (name, >email, something like an SID or UID/GID...) Otherwise you have to >synchronize two pieces of an identity solution run by two different >organizations/people.
That is NOT true. I'm just talking about the Kerberos portion, of course, but Kerberos _clients_ do not need access to LDAP. Depending what you're doing on the application server side, yes, I can see that. But I know plenty of people (including us) who have their KDCs Internet-accessible without exposing their LDAP servers to the Internet. The specific implementation of Active Directory may require LDAP (or other protocol) access for Windows clients, but it is important to note that this is NOT a requirement for the Kerberos protocol in general. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
