[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about krb5-kdc.schema

To: Lara Adianto <m1r4cle_26@yahoo.com>
Subject: Re: about krb5-kdc.schema
From: Alberto Patino <jalbertop@aranea.com.mx>
Date: 23 Apr 2004 12:26:19 -0500
Cc: openldap-software@OpenLDAP.Org, heimdal-discuss@sics.se
In-Reply-To: <20040422154816.45782.qmail@web80803.mail.yahoo.com>
Organization: aranea
References: <20040422154816.45782.qmail@web80803.mail.yahoo.com>
Reply-To: jalbertop@aranea.com.mx
Sender: owner-heimdal-discuss@sics.se

On Thu, 2004-04-22 at 10:48, Lara Adianto wrote:
> Hello,
>  
> I have a few questions about the usage of krb5-kdc.schema for using
> openldap as the backend of heimdal. Hopefully somebody in this mailing
> list can help me. 
>  
> 1. If I want to use back-sql as the backend of openldap to store the
> kerberos5 related infos such as the realm and principals' credentials
> & policies, how should I design the database ? In the Kerberos KDC
> LDAP Schema (draft-skibbie-krb-kdc-ldap-schema-02.txt - expired in may
> 2002, but I couldn't find a newer version on the net), it is stated
> that RealmEntrymust have krbRealmName, krbPrincSubTree and
> krbKdcServiceObject attributes, but in the krb5-kdc.schema v1.8 that I
> downloaded from the head of CVS, krb5Realm only has one mandatory
> attribute: krb5RealmName. Based on which guidelines should I design
> the database ?
>  
> 2. Walking through the heimdal and openldap, in the LDAP_store
> function, there are two LDAP_addmods: for 'top'  and 'person'
> objectclass. What's the rational behind this ? 
top is always included in a objectclass hierarchy. Person is required
for trhe attribute cn,sn etc.

> 3. There is a comment in krb5-kdc.schema v1.8: This schema is not
> usable as it contains invalid contructs. It is provided to developers
> for informational purposes only.
Kurt Z. pinpoint out this in the net. To make it usable  you need no fix
the definition for the following attributes adding the ORDERING clause
attributetype ( 1.3.6.1.4.1.5322.10.1.7
	NAME 'krb5ValidStart'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.8
	NAME 'krb5ValidEnd'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.9
	NAME 'krb5PasswordEnd'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
	SINGLE-VALUE )
>

References:
- about krb5-kdc.schema
  - From: Lara Adianto <m1r4cle_26@yahoo.com>

Prev by Date: Re: domain to realm mappings and DNS (probably a bug)
Next by Date: debugging kauth/kinit
Prev by thread: about krb5-kdc.schema
Next by thread: Keeping an afs kaserver database in sync w/krb5 database
Index(es):
- Date
- Thread