> Luke> Adding support to a KDC for the PAC is not that difficult if > Luke> you have a sensible architecture (for example, an integrated > Luke> directory backend for the KDC). The difficulty lies in some > Luke> of the other, unpublished, protocols which are necessary to > Luke> domain logon. > >Isn't M$ publishing all the addition/changes to the LDAP/Kerberos >protocol?
Not all of them, and there are other protocols other than Kerberos that are necessary. Microsoft might license them to you, though: http://www.microsoft.com/legal/protocols/ You will need to execute a non-disclosure agreement before they will disclose the licensing terms. >And 'integrated directory backend'. Couldn't that be a OpenLDAP2 >server tied with Kerberos (the way openldap2+heimdal combo does it)? What, the one we wrote? :-) In principle, yes, but there a number of other issues such as name canonicalization, that require changes to the KDC frontend and Kerberos libraries as well as the backend. The following article, although partly inaccurate, has a good summary of what would be required: http://www.usenix.org/publications/login/1998-5/brundrett.html More information on our implementation is at: http://www.padl.com/Research/XAD.html -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos