[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba

To: heimdal-discuss@sics.se
Subject: RE: Intergrate Heimdal's hdb-ldap and Samba
From: Adam Williams <adam@morrison-ind.com>
Date: Wed, 10 Mar 2004 06:31:19 -0500
In-Reply-To: <1078895752.31221.40.camel@piglett.bartlett.house>
References: <014101c40626$91457a30$8601a8c0@CELLO> <1078895752.31221.40.camel@piglett.bartlett.house>
Reply-To: adam@morrison-ind.com
Sender: owner-heimdal-discuss@sics.se

> > > Agree,  I'd suspect the LDAP object will almost always exist and the
> > > kerberos data will be additive.
> > > > > For those things that are new, I think 'account' (or
> > > another suitable
> > > > > compatible structural objectClass) is appropriate.
> > > 'person' to my mind
> > > > > is not.
> > > > I take your word for it. But I would feel much better if
> > > some other ldap
> > > > literate person spoke up and said what you said was right.
> > > I'm an LDAP administration, and I think he's correct.
> > > 'account' is the correct objectclass.
> > It is not so cut-and-dry; this needs to be a configurable item. There are
> > plenty of situations where person/inetOrgPerson is the established
> > objectclass. Also, in an nss_ldap installation the relevant information is in
> > a posixAccount object which is just an auxiliary class. In practice, this
> > objectClass is usually associated with a person entry. The generic "account"
> > objectclass is relatively useless by itself.
> > Speaking as a long-time designer of both Kerberos and LDAP and core developer
> > of OpenLDAP, I'm quite familiar with both...
> And it is - sort of.  If the record already exists in LDAP, then we just
> add to it.  However, I can't see how a KDC can decree that a principal
> is a 'person', on it's own.
> So, if you want other than account, then you probably care about your
> LDAP setup, and are not going to be creating the initial entry with
> heimdal anyway.  (You will add keys with heimdal later).
> Does this sound reasonable?

It seems so to me, assuming that this automatic adding is occuring via
integration with Samba;  since this is how Samba works already. 
sambaSAMAccount is already added to a prexisting objects (either created
manually or via an "add user script").  So (1) the object gets created
(2) samba sambabize's the entry (3) samba asks heimdal to kerbize it; 
at least I assume thats what we are talking about when we mean
"Samba/Heimdal Integration".

I don't see how the KDC would have enough information to create anything
beyond a very basic account object; would it have a surname, etc... to
create a person object?

But I guess there are two issues - creating objects and altering objects
(which first have to be identified via some filter?)?

Follow-Ups:
- RE: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- RE: Intergrate Heimdal's hdb-ldap and Samba
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: Intergrate Heimdal's hdb-ldap and Samba
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: [Kevin Coffman] Proposal to export gssapi context
Next by Date: Re: [Kevin Coffman] Proposal to export gssapi context
Prev by thread: RE: Intergrate Heimdal's hdb-ldap and Samba
Next by thread: RE: Intergrate Heimdal's hdb-ldap and Samba
Index(es):
- Date
- Thread