[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Intergrate Heimdal's hdb-ldap and Samba
From: Love <lha@stacken.kth.se>
Date: Mon, 01 Mar 2004 13:57:20 +0100
Cc: heimdal-discuss@sics.se, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <1078140789.1599.247.camel@piglett.bartlett.house> (AndrewBartlett's message of "Mon, 01 Mar 2004 22:33:09 +1100")
References: <1077962186.1892.8354.camel@piglett.bartlett.house><am8yimmr40.fsf@nutcracker.stacken.kth.se><1078031265.1892.13408.camel@piglett.bartlett.house><amk726m4a2.fsf@nutcracker.stacken.kth.se><1078121794.1599.208.camel@piglett.bartlett.house><am3c8s6ce3.fsf@nutcracker.stacken.kth.se><1078140789.1599.247.camel@piglett.bartlett.house>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)

Andrew Bartlett <abartlet@samba.org> writes:

>> Reading the ldap patch I think you break backward compatibility with the
>> old code, like you changed how the Key was stored, to hex encoded data from
>> raw octets.
>
> sambaNTpassword is hex encoded, but the krb5Key should still be raw
> octects.  It should be raw octets inside HDBEntry.  Can you point out
> exactly what you mean here?

Oh, sorry, it was a comment. I've still to get used to this "new" c99
comments.

> The only backward compatibility issue is that older Heimdal
> installations that query the same directory will not see the type-23
> key, as it is in the sambaNTpassword.  But this only happens when there
> is a sambaSamAccount on the entry.

Shouldn't type-23 keys be stored in both entries ?

>> The hdb-structure is slighty entrenched into libkadm5 and the hprop/iprop
>> protocols. Also the kdc uses the hdb interface, so doing a new api seem to
>> be somewhat painful (based from a 2 min code review)
>
> What I was instead thinking was to continue expanding HDBEntry, but use
> a HDBEntry2OldHDBEntry function for db storage.

The "real" way of solving this should be doing something like this:

hdb-extension ::= CHOICE {
	some-value[0]	SomeType,
	some-value2[0]	SomeType2,
	...
}

hdb-extensions ::= SEQUENCE OF SEQUENCE ::= {
	mandatory[0]	INTEGER,	-- kdc MUST understand this extension
	extension[1]  	hdb-extension
}

and make sure sure that the asn1 library supports ... for CHOICE (and thus
preserved data).

Then the structure would be extented in and forward compatibility maner
that old kdc would understand.

However, the asn1 lib on head doesn't support CHOICE, thus by idea of using
OCTET STRING instead. The joda-asn1-branch asn1_compile (used for pkinit)
support CHOICE, but I'm not completely trust it since I'm not sure since
the branch was done 2 years ago and all changes might not he pulled over
From head.

The db really need to store all the data, so using something like
HDBEntry2OldHDBEntry wouldn't work.

Love

PGP signature

Follow-Ups:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Love <lha@stacken.kth.se>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: SEAM change password protocol different?
Next by Date: Re: SEAM change password protocol different?
Prev by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Next by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread