[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

To: Love <lha@stacken.kth.se>
Subject: Re: Intergrate Heimdal's hdb-ldap and Samba
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 01 Mar 2004 17:16:34 +1100
Cc: Andrew Bartlett <abartlet@samba.org>, heimdal-discuss@sics.se, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <amk726m4a2.fsf@nutcracker.stacken.kth.se>
References: <1077962186.1892.8354.camel@piglett.bartlett.house> <am8yimmr40.fsf@nutcracker.stacken.kth.se> <1078031265.1892.13408.camel@piglett.bartlett.house> <amk726m4a2.fsf@nutcracker.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se

On Sun, 2004-02-29 at 23:57, Love wrote:
> Andrew Bartlett <abartlet@samba.org> writes:
> 
> > Oops - I'll need to learn a bit more about how HDBentry works :-)
> 
> Its more asn1/der. Heimdal's asn1_compile have implicit continuations (...)
> so parsing data is just fine, however it wont be preserved, nor it will the
> kdc properly reject data when it doesn't understand a critical extension.

Would you consider merging my patch if I removed the extra attributes
(which I don't use yet)?

I was considering that the HDBentry in the hemidal database would simply
not change, but that when using LDAP we would present a 'richer'
interface.   Otherwise, your proposal certainly makes sense.

> > Also, I would like to have a 'plaintext password' attribute passed
> > around, so that we can use it in a number of 'password syncronisation'
> > areas.
> 
> That would be possible to solve in the above scheme.
> 
> And indeed, we have talked about doing just that so enctypes can be added
> to users and not requiring them to change their password.

I assume this will be 'off by default' before the security nuts jump all
over you :-)

> > That's not an issue for Samba right now - the NTLM authentication scheme
> > is stuck at MD4 passwords, and is unlikaly to move further than that. 
> > That is what Kerberos is for ;-)
> 
> Ah, ok.
> 
> BTW, I've imported non ldap related parts of your patch.

Thanks.  

How much 'samba stuff' are you willing to tolerate in Heimdal?  

For example, once we start updating the 'last change time', we should
also update/honour the 'min password age' and 'must change time'
attributes.  (Ie, query the directory for those properties, and set them
when we update the password).

It is a slippery slope, and I understand why many projects would run and
scream, but I would love to see Heimdal as the KDC companion to Samba.

(but that's simply because your HDB has at least made it sane for me to
do it :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: tokens in Linux-2.6
Next by Date: Re: SEAM change password protocol different?
Prev by thread: Re: tokens in Linux-2.6
Next by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread