[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett <abartlet@samba.org> writes:

> Oops - I'll need to learn a bit more about how HDBentry works :-)

Its more asn1/der. Heimdal's asn1_compile have implicit continuations (...)
so parsing data is just fine, however it wont be preserved, nor it will the
kdc properly reject data when it doesn't understand a critical extension.

> Is is at all possible to have the hdb directly stored in the database be
> different to that used as an internal data strucutre?  I know it removes
> some of the beauty of the system, but in Samba we have found it very,
> very useful.  In particular, I extended it to support attributes that
> your kadmin protocol knows about, but your HDB doesn't :-)

Yes, two issues is the same problem. How to expand data in a forward
compatible manner. How about defining something like this ? Then we only
need to break forward compatibilty once.

hdb-extension ::= SEQUENCE {
	mandatory[0]	INTEGER,	-- kdc MUST understand this extension,
					--   if not the whole entry must
					--   be rejected
	type[1]		INTEGER,
	data[2]		OCTET STRING

hdb-extensions ::= SEQUENCE OF hdb-extension

hdb-entry ::= SEQUENCE {
	hdb-extensions[13] hdb-extensions OPTIONAL

> Also, I would like to have a 'plaintext password' attribute passed
> around, so that we can use it in a number of 'password syncronisation'
> areas.

That would be possible to solve in the above scheme.

And indeed, we have talked about doing just that so enctypes can be added
to users and not requiring them to change their password.

> That's not an issue for Samba right now - the NTLM authentication scheme
> is stuck at MD4 passwords, and is unlikaly to move further than that. 
> That is what Kerberos is for ;-)

Ah, ok.

BTW, I've imported non ldap related parts of your patch.


PGP signature