On Mon, 2004-03-08 at 03:33, Love wrote: > Andrew Bartlett <abartlet@samba.org> writes: > > > There certainly is a password change protocol :-) > > > > I would not object to storing both, and asserting that they are the same > > in Heimdal. Samba can't assert that they are the same, but the only > > heimdal code that is going to be used will update the Samba passwords > > anyway, so it is a non-issue. > > I don't think I care that much, and just leave it as it is. > > >> You changed the structural object class from person to account, is this > >> wise ? > > > > I certainly think it is. Person requires the account to be a real > > human, and I would claim that machines are not. Furthermore, it matches > > what Samba does. > > But its not what the old code does, and I guess it might break for old > installations. Existing entries are not touched. So it's probably more compatible than that the hdb changes :-) > If I did some more guessing, its because microsoft uses person the old ldap > code uses person. Microsoft hacked the schema, to remove the 'sn' (surname) requirement. > It should be simple enough to just have a runtime option. I think heimdal might need to move towards what Samba does, and have an 'add user script', if you really expect that the first entry in the LDAP directory for a user, will be the heimdal entry. In the real world, I would have expected that if a site is going to the pain of setting up LDAP (and it is a pain, no matter what we can do) that the entries for the accounts would probably already exist (for nss_ldap, for all the reasons that they wanted their data in a single place to start with). As such, the 'account' stuff does not come into play, as the entry already exists. For those things that are new, I think 'account' (or another suitable compatible structural objectClass) is appropriate. 'person' to my mind is not. > >> Dunno how to express the data for ldap. Example of data that I want to > >> store in the extention structure is pkinit acl's, certificates, old keys > >> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at > >> least, because that is what MS does). > > > > People have generally found that almost anything can be shoved into > > LDAP, given suffienct force ;-) > > The idea was not to use way too much force. But that spoils all the fun ;-) > > For x.509 certificates, there is a objectClass > > (strongAuthenticationUser) and an attribute (userCertificate) for it > > already. > > I was thinking more something like microsoft's > altSecurity(Identity|Principal) (?). So you don't want to store the certificate, just it's 'name' for later matching? I can't spot an existing standard way, but we should be sure of that before duplicating something. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part