Re: Intergrate Heimdal's hdb-ldap and Samba

[Adam Williams <adam@morrison-ind.com>]

Just joined the list since I was reading the "hdb-ldap and Samba" thread
in the archive.  I'm the administrator of an OpenLDAP/SambaPDC network
with MIT kerberos on the side.  I'm also the author of -
ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf (which, of course, seems
to be down at the momemt) - I'm really familiar with LDAPish topics and
have a working understanding of Kerberos.

An integrated Samba/DSA/KDC would be a dream come true.

> > In the real world, I would have expected that if a site is going to 
> > pain of setting up LDAP (and it is a pain, no matter what we can do)

Yep.

> > that the entries for the accounts would probably already exist (for
> > nss_ldap, for all the reasons that they wanted their data in a single
> > place to start with).  As such, the 'account' stuff does not come into
> > play, as the entry already exists.

Agree,  I'd suspect the LDAP object will almost always exist and the
kerberos data will be additive.

> > For those things that are new, I think 'account' (or another suitable
> > compatible structural objectClass) is appropriate.  'person' to my mind
> > is not.
> I take your word for it. But I would feel much better if some other ldap
> literate person spoke up and said what you said was right.

I'm an LDAP administration, and I think he's correct.  'account' is the 
correct objectclass.