What's new for Kerberos in Solaris 10 5/08

Solaris 10 5/08 was just released and it contains a number of significant enhancements to Kerberos. I've drawn up a list of new features, singling out the ones I think are most significant. Even apart from these new features there were many bug fixes and other minor improvements.

  • Support for Kerberos principal and policy records in LDAP

    Adds support for accessing Kerberos principal and policy records stored on a Directory Server, via LDAP. Storing Kerberos records in LDAP has a number of advantages over the default db2 database such as simplified administration and allowing for multi-master KDC configuration. The KDC now supports a pluggable system for database storage. Both the new LDAP support and the older db2 database storage system are now implemented as plugins. Configuring a KDC with an LDAP database backend is a little different from the older db2 administration. A new utility kdb5_ldap_util and new configuration options are needed. You can find an updated Kerberos administration guide here which covers this new feature.

  • Zero-configuration Kerberos clients

    This is not a single feature per-se but rather a number of relatively minor changes which can obviate the need to explicitly configure Kerberos clients. The following changes were made

    • dns_lookup_kdc is enabled by default
    • The Kerberos realm for a given host (or default realm) is determined heuristically from the DNS domain name of the host ( or local host)
    • krb5.conf has been modified so that it is not mis-configured by default
    • Client-side referral support was added which allows the KDC to inform the client what realm they are in. Microsoft's Active Directory is an example of a KDC which supports this

  • Full resync with MIT 1.4.3 The Kerberos daemons, utilities and libraries are now fully in sync with MIT Kerberos 1.4.3 and contain some features of MIT 1.6. A new utility was introduced - k5srvutil and new options were added to krb5.conf. One particularily useful option is auth_to_local, it allows for a more flexible mapping of principal names to local user names.

Comments:

Cool stuff! ZeroConf saved my time today :-))

Posted by spity on April 17, 2008 at 09:27 AM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

mbp

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today