Em Fri, Jan 25, 2002 at 12:25:54PM -0500, Nicolas Williams escreveu: > How should a client distinguish between two *different* LDAP databases > using the same service principal name? > > I think each LDAP DB should have a unique service principal name. Most > times ldap/fqdn@REALM will do, but if you're running two different LDAP > DBs on the same host you'd have to use a different service princ name
Or share the keytab (ie, same principal). For both services, you will still be you, no matter what principal the server has. > for at least one of them, which means that the clients have to be > somewhat configurable with respect to Kerberos service principal names > for LDAP servers. I was first concerned about that when I asked about this difference between services and hosts principals. For example, if telnet and openssh share the same principal, how can I control access to them? Well, that's not kerberos' job, at least not with the current implemntation as I understand it (perhaps with MS-kerberos...). I shouldn't control access to a service at the "ticket" level, ie, if I can't get a ticket for it, then I can't access it. That's authorization. (Hmm, I still have to read the whole thread about this that started a few days ago...) It's like that company example, when I present myself at the desk clerk, I get a temp ID for use within the company. This doesn't allow me automatically in the restricted areas.