[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Intergrate Heimdal's hdb-ldap and Samba
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 29 Feb 2004 16:33:34 +1100
Cc: Love <lha@stacken.kth.se>, heimdal-discuss@sics.se, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <1078031265.1892.13408.camel@piglett.bartlett.house>
References: <1077962186.1892.8354.camel@piglett.bartlett.house> <am8yimmr40.fsf@nutcracker.stacken.kth.se> <1078031265.1892.13408.camel@piglett.bartlett.house>
Sender: owner-heimdal-discuss@sics.se

On Sun, 2004-02-29 at 16:07, Andrew Bartlett wrote:
> On Sun, 2004-02-29 at 15:44, Love wrote:
> > Andrew Bartlett <abartlet@samba.org> writes:
> > 
> > > I realise it is not indented per the rest of heimdal (that was not a big
> > > concern when creating it :-), but I'll happly re-indent if you can give
> > > me your preferred indent command line.
> > >
> > > Is this something that is of interest to Heimdal?
> > 
> > Yes, they are. The only thing I find a problem right now is that you change
> > HDBEntry and that can't really be done in a backward compatiable manner (ie
> > running diffrent major version of the kdc in the same realm). The idea we
> > have is that we should have a CHOICE (or something to that effekt).
> 
> Oops - I'll need to learn a bit more about how HDBentry works :-)
> 
> Is is at all possible to have the hdb directly stored in the database be
> different to that used as an internal data strucutre?  I know it removes
> some of the beauty of the system, but in Samba we have found it very,
> very useful.  In particular, I extended it to support attributes that
> your kadmin protocol knows about, but your HDB doesn't :-)

Ok, that part missed this patch.  It was in the patch I knocked up to
hack-level 12 months ago, but it is something I want to do.

> Also, I would like to have a 'plaintext password' attribute passed
> around, so that we can use it in a number of 'password syncronisation'
> areas.

One thing we probably should allow (but probably not encourage) is
putting plaintext passwords into LDAP, so that Samba, Heimdal,
Cyrus-SASL, HTTP-Digest and the rest can all use the exact same
password, without the multiple-hashes problem.   Then each program can
hash it as required.

> > Have you (as in the samba people) given any thought to how to implement AES
> > keys in you LDAP schema ? I guess there might be more enctypes sometime in
> > the future.
> 
> That's not an issue for Samba right now - the NTLM authentication scheme
> is stuck at MD4 passwords, and is unlikaly to move further than that. 
> That is what Kerberos is for ;-)
> 
> Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- RE: Intergrate Heimdal's hdb-ldap and Samba
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Love <lha@stacken.kth.se>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Intergrate Heimdal's hdb-ldap and Samba
Next by Date: RE: Intergrate Heimdal's hdb-ldap and Samba
Prev by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Next by thread: RE: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread