[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Intergrate Heimdal's hdb-ldap and Samba
From: Love <lha@stacken.kth.se>
Date: Mon, 01 Mar 2004 12:21:40 +0100
Cc: heimdal-discuss@sics.se, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <1078121794.1599.208.camel@piglett.bartlett.house> (AndrewBartlett's message of "Mon, 01 Mar 2004 17:16:34 +1100")
References: <1077962186.1892.8354.camel@piglett.bartlett.house><am8yimmr40.fsf@nutcracker.stacken.kth.se><1078031265.1892.13408.camel@piglett.bartlett.house><amk726m4a2.fsf@nutcracker.stacken.kth.se><1078121794.1599.208.camel@piglett.bartlett.house>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)

Andrew Bartlett <abartlet@samba.org> writes:

> On Sun, 2004-02-29 at 23:57, Love wrote:
>> Andrew Bartlett <abartlet@samba.org> writes:
>> 
>> > Oops - I'll need to learn a bit more about how HDBentry works :-)
>> 
>> Its more asn1/der. Heimdal's asn1_compile have implicit continuations (...)
>> so parsing data is just fine, however it wont be preserved, nor it will the
>> kdc properly reject data when it doesn't understand a critical extension.
>
> Would you consider merging my patch if I removed the extra attributes
> (which I don't use yet)?

I considering to include your patch in heimdal doing some merge of your
patch and the proposal I have. We have to break forward compatibility at
some time (with something like hdb-extensions). There are changes that are
already not put into the tree because of this issue (per principal
configurable iteration counter for AES s2k, pkinit acl's, etc).

Reading the ldap patch I think you break backward compatibility with the
old code, like you changed how the Key was stored, to hex encoded data from
raw octets.

> I was considering that the HDBentry in the hemidal database would simply
> not change, but that when using LDAP we would present a 'richer'
> interface.   Otherwise, your proposal certainly makes sense.

Ah, so you want a diffrent interface between libhdb and libkadm5 ?

The hdb-structure is slighty entrenched into libkadm5 and the hprop/iprop
protocols. Also the kdc uses the hdb interface, so doing a new api seem to
be somewhat painful (based from a 2 min code review)

>> BTW, I've imported non ldap related parts of your patch.
>
> Thanks.  
>
> How much 'samba stuff' are you willing to tolerate in Heimdal?  
>
> For example, once we start updating the 'last change time', we should
> also update/honour the 'min password age' and 'must change time'
> attributes.  (Ie, query the directory for those properties, and set them
> when we update the password).

Many change that you propose above should really be part of Heimdal, so I
don't really see it as a problem to include them.

As long as the patches are clean, sane, pretty, don't to horrible things
with abstraction layers, and that someone test them properly, I have no
problem including them i Heimdal. Also, including documentation is nice, at
least some framework for it, I really don't want to write all text myself.

Love

PGP signature

Follow-Ups:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: SEAM change password protocol different?
Next by Date: Re: Intergrate Heimdal's hdb-ldap and Samba
Prev by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Next by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread