In the process of setting up pkinit again, I was struck by the fact that
the subject<->principal mapping provided by the /var/heimdal/pki-mapping
file was exactly the sort of thing that many sites might want to pull
from an LDAP directory. I assume that right now this is hardcoded to use
pki-mapping, and for now we could probably extract this info from our
LDAP directory and stick it into a file on our kdc periodically, but do
other people think it would be usefull to have a way to have the kdc
pull this info from LDAP? If so, I'll see if I can get some of my cycles
allocated to working on this.
can anyone think of any reasons that this would be a bad idea?