[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP layouts for Heimdal



Quoting Stephan Siano <Stephan.Siano@gmx.net>:

> Hi,
>
> Chris Hamilton schrieb:
> > ...
> If I remember right, the samba classes are auxiliary classes. You just
> add them to an existing object at any time, but I haven't tried samba
> myself, so I can't say whether samba requires to create the object
> itself or can also modify an existing one (e.g. one created by heimdal).
Well there is my problem then.  I am using the schema at
http://www.padl.com/~lukeh/XAD/hdb.schema
on 2.1.22 ldap with BDB backend.  I can add things to a person object. However
after I add krb5Principal to the entry, inetOrgPerson can not be added.  I just
tested sambaSamAccount and it adds afterwards, so does krb5KDCEntry.  So what
is specifically conflicting in this case between krb5Principal and
inetOrgPerson(organizationalPerson more specifically)?  I don't see how, but I
am new to this.

>
> > So I ask - What was heimdal/ldap originally designed to do - separate
> > or single entries and why?
>
> I guess the more difficult thing to think about is security. If you are
> using the ldap-heimdal-backend, you store your kdc-data (the keys to all
> your services) in a directory and you should make sure that only a kdc
> can access this data.
Yes, I plan to only allow ldapi access to kerberos info.
>
> Yours
> Stephan Siano
>
>
>
>


----------------------------------------------------------------
This message was sent through ambigc.com.