[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin bug (missing mod_name)

[thread moved from heimdal-discuss@sics.se to kdc-schema@it.su.se]

On Thu, Nov 09, 2000 at 01:30:49PM +0100, Leif Johansson wrote:
> If modifiersName is empty that means that your ldap server is bad or
> that you are using an anonymous bind with rw access (I shudder at the
> though :-)

This is exactly what is recommended on Luke's page.  In fact, hdb-ldap.c
will need to be changed if different behaviour is wanted.   The way it
is currently written, a private Unix domain socket is used for
communication.  I suppose one could add a default dn to bind to in
/etc/ldap.conf, but that seems like a poor approach.

> One of the motivation for having the schema (and putting the kdc database
> in ldap) is to pave the way for administration of kdc data and other user-
> related stuff using common administrative interfaces. 

This is exactly my interest.  

> I.e. someone might 
> sit down and (very very carefully!!) write an ldap GUI that can edit kdc 
> entries. In that case you might not even use kerberos to authenticate to
> the directory in which case the modifier isn't even a principal!

Yes, correct.

> This is the reason me and Luke Howard decided to use the standar operational
> attributes which are _required_ by ldapv3 instead of defining new ones. Mapping
> namespaces (principals <-> X500 distinguished names) is hard and we (Luke and
> I) did not want to go the AD-way and specify a naming strucure to be used with
> the schema (i.e dc-naming). 

Only what is there to map?   kadmind would have to be taught to bind as
the user for modifiersName to be set to something useful.  

As it turns out, currently LDAP_dn2principal is bogus.  It doesn't even
use its dn argument.  Instead, it apparently attempts to use the first 
krb5Principal returned from LDAP -- except this, too, fails, since the
search uses LDAP_SCOPE_BASE.

i.e. I don't think it will work under any circumstances :-)

> It is nice to se the schema beeing put to use but I would not consider it 
> ready for prime time just yet. This issue of namespace mapping and other 
> issues still remains to be adressed. I started a list (kdc-schema@it.su.se) to
> discuss this but it has been very quiet (partly because of inactivity on my
> part). If there is intrest in discussing this please join.

I didn't know of it -- I will move this thread there.  Please keep me on
the cc: list for now -- I've sent a subscribe request but haven't
received any reply yet.

I will drag hdb-ldap kicking and screaming into `prime time' if
necessary :-)  Seriously, the results are very promising even though
there are some rough edges.  I am sure we will be able to smooth them

Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org