[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin bug (missing mod_name)

To: "Jacques A. Vidrine" <n@nectar.com>, Johan Danielsson <joda@pdc.kth.se>, heimdal-discuss@sics.se
Subject: Re: kadmin bug (missing mod_name)
From: Leif Johansson <leifj@it.su.se>
Date: Thu, 09 Nov 2000 13:30:49 +0100
In-Reply-To: Message from "Jacques A. Vidrine" <n@nectar.com> of "Wed, 08 Nov 2000 20:59:25 CST." <20001108205925.C93989@spawn.nectar.com>
Sender: owner-heimdal-discuss@sics.se

> On Thu, Nov 09, 2000 at 12:34:39AM +0100, Johan Danielsson wrote:
> > "Jacques A. Vidrine" <n@nectar.com> writes:
> >
> > > The more serious problem is that `modifiersName' will never (?) be a
> > > krb5PrincipalName.  Rather it will be anonymous (if it was updated
> > > using kadmin), or something like `uid=nectar' or even
> > > `uid=nectar@NECTAR.COM' (if it was updated directly via LDAP).

If modifiersName is empty that means that your ldap server is bad or
that you are using an anonymous bind with rw access (I shudder at the
though :-)

> > 
> > So what should be done about this? I'm no LDAP expert. I guess the
> > people using it should have a say about this.
> 
> My gut feeling is that new attributes should be introduced and used 
> explicitly rather than using the directory operation attributes.
> 
> (e.g.  krb5CreateTimestamp, krb5CreatorsName, krb5ModifyTimestamp,
> krb5ModifiersName)
> 

One of the motivation for having the schema (and putting the kdc database
in ldap) is to pave the way for administration of kdc data and other user-
related stuff using common administrative interfaces. I.e. someone might 
sit down and (very very carefully!!) write an ldap GUI that can edit kdc 
entries. In that case you might not even use kerberos to authenticate to
the directory in which case the modifier isn't even a principal!

This is the reason me and Luke Howard decided to use the standar operational
attributes which are _required_ by ldapv3 instead of defining new ones. Mapping
namespaces (principals <-> X500 distinguished names) is hard and we (Luke and
I) did not want to go the AD-way and specify a naming strucure to be used with
the schema (i.e dc-naming). 

It is nice to se the schema beeing put to use but I would not consider it 
ready for prime time just yet. This issue of namespace mapping and other 
issues still remains to be adressed. I started a list (kdc-schema@it.su.se) to
discuss this but it has been very quiet (partly because of inactivity on my
part). If there is intrest in discussing this please join.

--------------------------------------------------------------------------
Leif Johansson				Phone: +46 8 164541		
IT- and media services
Stockholm University 			email: leifj@it.su.se 	

<This space is left blank for quotational and disclamatory purposes.>

Follow-Ups:
- Re: kadmin bug (missing mod_name)
  - From: "Jacques A. Vidrine" <n@nectar.com>

References:
- Re: kadmin bug (missing mod_name)
  - From: "Jacques A. Vidrine" <n@nectar.com>

Prev by Date: Re: redhat kerberos PAM
Next by Date: Re: kadmin bug (missing mod_name)
Prev by thread: Re: kadmin bug (missing mod_name)
Next by thread: Re: kadmin bug (missing mod_name)
Index(es):
- Date
- Thread