[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Intergrate Heimdal's hdb-ldap and Samba
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Adam Williams
> Agree, I'd suspect the LDAP object will almost always exist and the
> kerberos data will be additive.
> > > For those things that are new, I think 'account' (or
> another suitable
> > > compatible structural objectClass) is appropriate.
> 'person' to my mind
> > > is not.
> > I take your word for it. But I would feel much better if
> some other ldap
> > literate person spoke up and said what you said was right.
> I'm an LDAP administration, and I think he's correct.
> 'account' is the correct objectclass.
It is not so cut-and-dry; this needs to be a configurable item. There are
plenty of situations where person/inetOrgPerson is the established
objectclass. Also, in an nss_ldap installation the relevant information is in
a posixAccount object which is just an auxiliary class. In practice, this
objectClass is usually associated with a person entry. The generic "account"
objectclass is relatively useless by itself.
Speaking as a long-time designer of both Kerberos and LDAP and core developer
of OpenLDAP, I'm quite familiar with both...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support