[Adium-devl] server Kerberos principal names
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 10 19:32:11 UTC 2008
Ken Raeburn wrote:
> On Jan 10, 2008, at 12:47, Peter Saint-Andre wrote:
>> Yes, there is a Kerberos issue about how you know the principal
>> name of the connection manager you've actually connected to. We're
>> working to address that here:
>>
>> http://www.xmpp.org/extensions/inbox/domain-based-names.html
>
> Interesting.
> At first glance, I'm not sure how much it helps, though. I've got to
> go back and re-read Nico's docs....
>
> But I'm unclear why, for example, just picking "xmpp/domain-part-of-
> jid" wouldn't be an adequate solution. (Or is the issue, "we didn't
> say and now implementations aren't consistent, so we need a new spec"?)
This is probably a discussion best held on the standards at xmpp.org list.
However, the problem is large deployments with multiple connection
managers. You're assigned to a particular connection manager by a load
balancer. So you don't know if you'll end up with a physical connection
(TCP socket) at us3.cm.xmpp.example.com or eu7.xmpp.example.com or
whatever, and you need to know that specific hostname in order to get
the right service principal name etc. I'm not a Kerberos expert so I'm
not the right one to explain it all, but we've found that this is needed
in certain kinds of XMPP deployments that use Kerberos authentication.
However, very few people really need to worry about this because such
deployments are rare (but big!).
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20080110/43614f02/attachment.bin>
More information about the devel
mailing list