[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

about krb5-kdc.schema

I have a few questions about the usage of krb5-kdc.schema for using openldap as the backend of heimdal. Hopefully somebody in this mailing list can help me.
1. If I want to use back-sql as the backend of openldap to store the kerberos5 related infos such as the realm and principals' credentials & policies, how should I design the database ? In the Kerberos KDC LDAP Schema (draft-skibbie-krb-kdc-ldap-schema-02.txt - expired in may 2002, but I couldn't find a newer version on the net), it is stated that RealmEntrymust have krbRealmName, krbPrincSubTree and krbKdcServiceObject attributes, but in the krb5-kdc.schema v1.8 that I downloaded from the head of CVS, krb5Realm only has one mandatory attribute: krb5RealmName. Based on which guidelines should I design the database ?
2. Walking through the heimdal and openldap, in the LDAP_store function, there are two LDAP_addmods: for 'top'  and 'person' objectclass. What's the rational behind this ? 
3. There is a comment in krb5-kdc.schema v1.8: This schema is not usable as it contains invalid contructs. It is provided to developers for informational purposes only.
If that's the case, which schema that bdb_add function uses while checking the schema entry ?
Thanks in advance for any response,

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -

Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25