[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba

> -----Original Message-----
> From: owner-heimdal-discuss@sics.se
> [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Adam Williams

> Agree,  I'd suspect the LDAP object will almost always exist and the
> kerberos data will be additive.
> > > For those things that are new, I think 'account' (or
> another suitable
> > > compatible structural objectClass) is appropriate.
> 'person' to my mind
> > > is not.
> > I take your word for it. But I would feel much better if
> some other ldap
> > literate person spoke up and said what you said was right.
> I'm an LDAP administration, and I think he's correct.
> 'account' is the correct objectclass.

It is not so cut-and-dry; this needs to be a configurable item. There are
plenty of situations where person/inetOrgPerson is the established
objectclass. Also, in an nss_ldap installation the relevant information is in
a posixAccount object which is just an auxiliary class. In practice, this
objectClass is usually associated with a person entry. The generic "account"
objectclass is relatively useless by itself.

Speaking as a long-time designer of both Kerberos and LDAP and core developer
of OpenLDAP, I'm quite familiar with both...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support