[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Intergrate Heimdal's hdb-ldap and Samba
Andrew Bartlett <abartlet@samba.org> writes:
>> Shouldn't type-23 keys be stored in both entries ?
>
> Perhaps they should. I'm a bit worried about storing duplicate data -
> what do we do when they don't match. Now, that is pretty lame, as if
> the two representations of the type-32 key don't match, then the DES
> keys would also be in conflict with the NT password....
Well, at least by storing the data its possible to detect mismatch. Is
there a password changing protocol in SMB/cifs so that data can get out of
sync ?
>> The db really need to store all the data, so using something like
>> HDBEntry2OldHDBEntry wouldn't work.
>
> OK.
So, I integrated did a patch and almost that does this in a forward
compatible maner by using ANY. It break forward compat, but should be ok in
the future.
http://people.su.se/~lha/patches/heimdal/ldap-samba
But I've not tested the patch yet more then compiling it.
You changed the structural object class from person to account, is this
wise ?
Dunno how to express the data for ldap. Example of data that I want to
store in the extention structure is pkinit acl's, certificates, old keys
(krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
least, because that is what MS does).
Love
PGP signature