[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Intergrate Heimdal's hdb-ldap and Samba

On Wed, 2004-03-10 at 22:31, Adam Williams wrote:
> > > > Agree,  I'd suspect the LDAP object will almost always exist and the
> > > > kerberos data will be additive.
> > > > > > For those things that are new, I think 'account' (or
> > > > another suitable
> > > > > > compatible structural objectClass) is appropriate.
> > > > 'person' to my mind
> > > > > > is not.
> > > > > I take your word for it. But I would feel much better if
> > > > some other ldap
> > > > > literate person spoke up and said what you said was right.
> > > > I'm an LDAP administration, and I think he's correct.
> > > > 'account' is the correct objectclass.
> > > It is not so cut-and-dry; this needs to be a configurable item. There are
> > > plenty of situations where person/inetOrgPerson is the established
> > > objectclass. Also, in an nss_ldap installation the relevant information is in
> > > a posixAccount object which is just an auxiliary class. In practice, this
> > > objectClass is usually associated with a person entry. The generic "account"
> > > objectclass is relatively useless by itself.
> > > Speaking as a long-time designer of both Kerberos and LDAP and core developer
> > > of OpenLDAP, I'm quite familiar with both...
> > And it is - sort of.  If the record already exists in LDAP, then we just
> > add to it.  However, I can't see how a KDC can decree that a principal
> > is a 'person', on it's own.
> > So, if you want other than account, then you probably care about your
> > LDAP setup, and are not going to be creating the initial entry with
> > heimdal anyway.  (You will add keys with heimdal later).
> > Does this sound reasonable?
> It seems so to me, assuming that this automatic adding is occuring via
> integration with Samba;  since this is how Samba works already. 
> sambaSAMAccount is already added to a prexisting objects (either created
> manually or via an "add user script").  So (1) the object gets created
> (2) samba sambabize's the entry (3) samba asks heimdal to kerbize it; 
> at least I assume thats what we are talking about when we mean
> "Samba/Heimdal Integration".

Samba doesn't actually.  Well not at this point.  What the patch is
about is actually *using* a Samba password, Samba isn't actually
modified at this point.

There is a patch in the works to allow the LDAP server to 'know' that it
needs to update all sorts of different password hashes.

> I don't see how the KDC would have enough information to create anything
> beyond a very basic account object; would it have a surname, etc... to
> create a person object?


> But I guess there are two issues - creating objects and altering objects
> (which first have to be identified via some filter?)?

Yep.  We look for either an account with a uid, or a

Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

This is a digitally signed message part