On Sun, 2004-03-07 at 10:48, Love wrote: > Andrew Bartlett <abartlet@samba.org> writes: > > >> Shouldn't type-23 keys be stored in both entries ? > > > > Perhaps they should. I'm a bit worried about storing duplicate data - > > what do we do when they don't match. Now, that is pretty lame, as if > > the two representations of the type-32 key don't match, then the DES > > keys would also be in conflict with the NT password.... > > Well, at least by storing the data its possible to detect mismatch. Is > there a password changing protocol in SMB/cifs so that data can get out of > sync ? There certainly is a password change protocol :-) I would not object to storing both, and asserting that they are the same in Heimdal. Samba can't assert that they are the same, but the only heimdal code that is going to be used will update the Samba passwords anyway, so it is a non-issue. There is some work being done to implement an OpenLDAP-side 'password set' operation, so that both Heimdal and Samba 'set' the password with the 'password set' extended operation, and all relevant things are updated. > >> The db really need to store all the data, so using something like > >> HDBEntry2OldHDBEntry wouldn't work. > > > > OK. > > So, I integrated did a patch and almost that does this in a forward > compatible maner by using ANY. It break forward compat, but should be ok in > the future. > > http://people.su.se/~lha/patches/heimdal/ldap-samba > > But I've not tested the patch yet more then compiling it. > > You changed the structural object class from person to account, is this > wise ? I certainly think it is. Person requires the account to be a real human, and I would claim that machines are not. Furthermore, it matches what Samba does. > Dunno how to express the data for ldap. Example of data that I want to > store in the extention structure is pkinit acl's, certificates, old keys > (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at > least, because that is what MS does). People have generally found that almost anything can be shoved into LDAP, given suffienct force ;-) For x.509 certificates, there is a objectClass (strongAuthenticationUser) and an attribute (userCertificate) for it already. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part