[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Intergrate Heimdal's hdb-ldap and Samba
> > > Agree, I'd suspect the LDAP object will almost always exist and the
> > > kerberos data will be additive.
> > > > > For those things that are new, I think 'account' (or
> > > another suitable
> > > > > compatible structural objectClass) is appropriate.
> > > 'person' to my mind
> > > > > is not.
> > > > I take your word for it. But I would feel much better if
> > > some other ldap
> > > > literate person spoke up and said what you said was right.
> > > I'm an LDAP administration, and I think he's correct.
> > > 'account' is the correct objectclass.
> > It is not so cut-and-dry; this needs to be a configurable item. There are
> > plenty of situations where person/inetOrgPerson is the established
> > objectclass. Also, in an nss_ldap installation the relevant information is in
> > a posixAccount object which is just an auxiliary class. In practice, this
> > objectClass is usually associated with a person entry. The generic "account"
> > objectclass is relatively useless by itself.
> > Speaking as a long-time designer of both Kerberos and LDAP and core developer
> > of OpenLDAP, I'm quite familiar with both...
> And it is - sort of. If the record already exists in LDAP, then we just
> add to it. However, I can't see how a KDC can decree that a principal
> is a 'person', on it's own.
> So, if you want other than account, then you probably care about your
> LDAP setup, and are not going to be creating the initial entry with
> heimdal anyway. (You will add keys with heimdal later).
> Does this sound reasonable?
It seems so to me, assuming that this automatic adding is occuring via
integration with Samba; since this is how Samba works already.
sambaSAMAccount is already added to a prexisting objects (either created
manually or via an "add user script"). So (1) the object gets created
(2) samba sambabize's the entry (3) samba asks heimdal to kerbize it;
at least I assume thats what we are talking about when we mean
I don't see how the KDC would have enough information to create anything
beyond a very basic account object; would it have a surname, etc... to
create a person object?
But I guess there are two issues - creating objects and altering objects
(which first have to be identified via some filter?)?