[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba



On Wed, 2004-03-10 at 09:33, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-heimdal-discuss@sics.se
> > [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Adam Williams
> 
> > Agree,  I'd suspect the LDAP object will almost always exist and the
> > kerberos data will be additive.
> >
> > > > For those things that are new, I think 'account' (or
> > another suitable
> > > > compatible structural objectClass) is appropriate.
> > 'person' to my mind
> > > > is not.
> > > I take your word for it. But I would feel much better if
> > some other ldap
> > > literate person spoke up and said what you said was right.
> >
> > I'm an LDAP administration, and I think he's correct.
> > 'account' is the correct objectclass.
> 
> It is not so cut-and-dry; this needs to be a configurable item. There are
> plenty of situations where person/inetOrgPerson is the established
> objectclass. Also, in an nss_ldap installation the relevant information is in
> a posixAccount object which is just an auxiliary class. In practice, this
> objectClass is usually associated with a person entry. The generic "account"
> objectclass is relatively useless by itself.
> 
> Speaking as a long-time designer of both Kerberos and LDAP and core developer
> of OpenLDAP, I'm quite familiar with both...

And it is - sort of.  If the record already exists in LDAP, then we just
add to it.  However, I can't see how a KDC can decree that a principal
is a 'person', on it's own.

So, if you want other than account, then you probably care about your
LDAP setup, and are not going to be creating the initial entry with
heimdal anyway.  (You will add keys with heimdal later).

Does this sound reasonable?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part