On Wed, 2004-03-10 at 22:31, Adam Williams wrote: > > > > Agree, I'd suspect the LDAP object will almost always exist and the > > > > kerberos data will be additive. > > > > > > For those things that are new, I think 'account' (or > > > > another suitable > > > > > > compatible structural objectClass) is appropriate. > > > > 'person' to my mind > > > > > > is not. > > > > > I take your word for it. But I would feel much better if > > > > some other ldap > > > > > literate person spoke up and said what you said was right. > > > > I'm an LDAP administration, and I think he's correct. > > > > 'account' is the correct objectclass. > > > It is not so cut-and-dry; this needs to be a configurable item. There are > > > plenty of situations where person/inetOrgPerson is the established > > > objectclass. Also, in an nss_ldap installation the relevant information is in > > > a posixAccount object which is just an auxiliary class. In practice, this > > > objectClass is usually associated with a person entry. The generic "account" > > > objectclass is relatively useless by itself. > > > Speaking as a long-time designer of both Kerberos and LDAP and core developer > > > of OpenLDAP, I'm quite familiar with both... > > And it is - sort of. If the record already exists in LDAP, then we just > > add to it. However, I can't see how a KDC can decree that a principal > > is a 'person', on it's own. > > So, if you want other than account, then you probably care about your > > LDAP setup, and are not going to be creating the initial entry with > > heimdal anyway. (You will add keys with heimdal later). > > Does this sound reasonable? > > It seems so to me, assuming that this automatic adding is occuring via > integration with Samba; since this is how Samba works already. > sambaSAMAccount is already added to a prexisting objects (either created > manually or via an "add user script"). So (1) the object gets created > (2) samba sambabize's the entry (3) samba asks heimdal to kerbize it; > at least I assume thats what we are talking about when we mean > "Samba/Heimdal Integration". Samba doesn't actually. Well not at this point. What the patch is about is actually *using* a Samba password, Samba isn't actually modified at this point. There is a patch in the works to allow the LDAP server to 'know' that it needs to update all sorts of different password hashes. > I don't see how the KDC would have enough information to create anything > beyond a very basic account object; would it have a surname, etc... to > create a person object? Exactly. > But I guess there are two issues - creating objects and altering objects > (which first have to be identified via some filter?)? Yep. We look for either an account with a uid, or a -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part