[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Intergrate Heimdal's hdb-ldap and Samba
Just joined the list since I was reading the "hdb-ldap and Samba" thread
in the archive. I'm the administrator of an OpenLDAP/SambaPDC network
with MIT kerberos on the side. I'm also the author of -
ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf (which, of course, seems
to be down at the momemt) - I'm really familiar with LDAPish topics and
have a working understanding of Kerberos.
An integrated Samba/DSA/KDC would be a dream come true.
> > In the real world, I would have expected that if a site is going to
> > pain of setting up LDAP (and it is a pain, no matter what we can do)
> > that the entries for the accounts would probably already exist (for
> > nss_ldap, for all the reasons that they wanted their data in a single
> > place to start with). As such, the 'account' stuff does not come into
> > play, as the entry already exists.
Agree, I'd suspect the LDAP object will almost always exist and the
kerberos data will be additive.
> > For those things that are new, I think 'account' (or another suitable
> > compatible structural objectClass) is appropriate. 'person' to my mind
> > is not.
> I take your word for it. But I would feel much better if some other ldap
> literate person spoke up and said what you said was right.
I'm an LDAP administration, and I think he's correct. 'account' is the