Re: kadmin bug (missing mod_name)

["Jacques A. Vidrine" <n@nectar.com>]

On Thu, Nov 09, 2000 at 12:34:39AM +0100, Johan Danielsson wrote:
> "Jacques A. Vidrine" <n@nectar.com> writes:
>
> > The more serious problem is that `modifiersName' will never (?) be a
> > krb5PrincipalName.  Rather it will be anonymous (if it was updated
> > using kadmin), or something like `uid=nectar' or even
> > `uid=nectar@NECTAR.COM' (if it was updated directly via LDAP).
> 
> So what should be done about this? I'm no LDAP expert. I guess the
> people using it should have a say about this.

My gut feeling is that new attributes should be introduced and used 
explicitly rather than using the directory operation attributes.

(e.g.  krb5CreateTimestamp, krb5CreatorsName, krb5ModifyTimestamp,
krb5ModifiersName)

I will probably add this to the schema and hdb-ldap.c and see how that
works out.

By the way, where is this schema maintained?  I started with
krb5-kdc.schema that is included with OpenLDAP 2, but it seemed to be a
little `off' and required this patch:

--- servers/slapd/schema/krb5-kdc.schema.orig	Tue Sep  5 13:28:34 2000
+++ servers/slapd/schema/krb5-kdc.schema	Mon Oct 30 13:09:19 2000
@@ -96,7 +96,7 @@
 attributetype ( 1.3.6.1.4.1.5322.10.1.10
 	NAME 'krb5Key'
 	DESC 'Encoded ASN1 Key as an octet string'
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 
 attributetype ( 1.3.6.1.4.1.5322.10.1.11
 	NAME 'krb5PrincipalRealm'
@@ -112,7 +112,7 @@
 
 objectclass ( 1.3.6.1.4.1.5322.10.2.1
 	NAME 'krb5Principal'
-	SUP top
+	SUP person
 	AUXILIARY
 	MUST ( krb5PrincipalName )
 	MAY ( cn $ krb5PrincipalRealm ) )

I wonder if the schema should be distributed with Heimdal?

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org