[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intergrate Heimdal's hdb-ldap and Samba

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Intergrate Heimdal's hdb-ldap and Samba
From: Love <lha@stacken.kth.se>
Date: Sun, 07 Mar 2004 00:48:43 +0100
Cc: heimdal-discuss@sics.se, Multiple recipients of list SAMBA-TECHNICAL <samba-technical@samba.org>
In-Reply-To: <1078310407.31811.7.camel@piglett.bartlett.house> (AndrewBartlett's message of "Wed, 03 Mar 2004 21:40:07 +1100")
References: <1077962186.1892.8354.camel@piglett.bartlett.house><am8yimmr40.fsf@nutcracker.stacken.kth.se><1078031265.1892.13408.camel@piglett.bartlett.house><amk726m4a2.fsf@nutcracker.stacken.kth.se><1078121794.1599.208.camel@piglett.bartlett.house><am3c8s6ce3.fsf@nutcracker.stacken.kth.se><1078140789.1599.247.camel@piglett.bartlett.house><amad304te7.fsf@nutcracker.stacken.kth.se><1078310407.31811.7.camel@piglett.bartlett.house>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)

Andrew Bartlett <abartlet@samba.org> writes:

>> Shouldn't type-23 keys be stored in both entries ?
>
> Perhaps they should.  I'm a bit worried about storing duplicate data -
> what do we do when they don't match.  Now, that is pretty lame, as if
> the two representations of the type-32 key don't match, then the DES
> keys would also be in conflict with the NT password....

Well, at least by storing the data its possible to detect mismatch. Is
there a password changing protocol in SMB/cifs so that data can get out of
sync ?

>> The db really need to store all the data, so using something like
>> HDBEntry2OldHDBEntry wouldn't work.
>
> OK.

So, I integrated did a patch and almost that does this in a forward
compatible maner by using ANY. It break forward compat, but should be ok in
the future.

http://people.su.se/~lha/patches/heimdal/ldap-samba

But I've not tested the patch yet more then compiling it. 

You changed the structural object class from person to account, is this
wise ?

Dunno how to express the data for ldap. Example of data that I want to
store in the extention structure is pkinit acl's, certificates, old keys
(krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
least, because that is what MS does).

Love

PGP signature

Follow-Ups:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Love <lha@stacken.kth.se>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Love <lha@stacken.kth.se>
- Re: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Kerberos IF_RELEVANT/PAC structure question
Next by Date: Re: Intergrate Heimdal's hdb-ldap and Samba
Prev by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Next by thread: Re: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread