[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kadmin bug (missing mod_name)
On Thu, Nov 09, 2000 at 12:34:39AM +0100, Johan Danielsson wrote:
> "Jacques A. Vidrine" <email@example.com> writes:
> > The more serious problem is that `modifiersName' will never (?) be a
> > krb5PrincipalName. Rather it will be anonymous (if it was updated
> > using kadmin), or something like `uid=nectar' or even
> > `uid=nectar@NECTAR.COM' (if it was updated directly via LDAP).
> So what should be done about this? I'm no LDAP expert. I guess the
> people using it should have a say about this.
My gut feeling is that new attributes should be introduced and used
explicitly rather than using the directory operation attributes.
(e.g. krb5CreateTimestamp, krb5CreatorsName, krb5ModifyTimestamp,
I will probably add this to the schema and hdb-ldap.c and see how that
By the way, where is this schema maintained? I started with
krb5-kdc.schema that is included with OpenLDAP 2, but it seemed to be a
little `off' and required this patch:
--- servers/slapd/schema/krb5-kdc.schema.orig Tue Sep 5 13:28:34 2000
+++ servers/slapd/schema/krb5-kdc.schema Mon Oct 30 13:09:19 2000
@@ -96,7 +96,7 @@
attributetype ( 22.214.171.124.4.1.53126.96.36.199
DESC 'Encoded ASN1 Key as an octet string'
- SYNTAX 188.8.131.52.4.1.14184.108.40.206.5 )
+ SYNTAX 220.127.116.11.4.1.1418.104.22.168.40 )
attributetype ( 22.214.171.124.4.1.53126.96.36.199
@@ -112,7 +112,7 @@
objectclass ( 188.8.131.52.4.1.53184.108.40.206
- SUP top
+ SUP person
MUST ( krb5PrincipalName )
MAY ( cn $ krb5PrincipalRealm ) )
I wonder if the schema should be distributed with Heimdal?
Jacques Vidrine / firstname.lastname@example.org / email@example.com / nectar@FreeBSD.org