>>>>> "CE" == Carwyn Edwards <carwyn@xxxxxxxxxx> writes: CE> I agree though, the whole LDAP/Kerberos server side setup is far CE> more fiddly than it needs to be atm. And yet, having been through this myself, I can't see a general way to make it much easier. Maybe some automated setup could work for one specific case (self-signed certificates, kerberos server and LDAP server on same machine, kerberos realm same as domain name, no replication, and a host of other simplifying assumptions). Actually I found that Fedora was rather well prepared for this kind of thing. I didn't have to edit /etc/init.d scripts, which is a big plus. The only thing I really missed was more automatic support for Kerberos database propagation. LDAP was very clean, with slurpd starting automatically after specifying a replogfile in slapd.conf. It's going to be a complex system no matter how much automation anyone does. What's really needed is better documentation of how the pieces are supposed to fit together. - J<
