[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: about krb5-kdc.schema
On Thu, 2004-04-22 at 10:48, Lara Adianto wrote:
> I have a few questions about the usage of krb5-kdc.schema for using
> openldap as the backend of heimdal. Hopefully somebody in this mailing
> list can help me.
> 1. If I want to use back-sql as the backend of openldap to store the
> kerberos5 related infos such as the realm and principals' credentials
> & policies, how should I design the database ? In the Kerberos KDC
> LDAP Schema (draft-skibbie-krb-kdc-ldap-schema-02.txt - expired in may
> 2002, but I couldn't find a newer version on the net), it is stated
> that RealmEntrymust have krbRealmName, krbPrincSubTree and
> krbKdcServiceObject attributes, but in the krb5-kdc.schema v1.8 that I
> downloaded from the head of CVS, krb5Realm only has one mandatory
> attribute: krb5RealmName. Based on which guidelines should I design
> the database ?
> 2. Walking through the heimdal and openldap, in the LDAP_store
> function, there are two LDAP_addmods: for 'top' and 'person'
> objectclass. What's the rational behind this ?
top is always included in a objectclass hierarchy. Person is required
for trhe attribute cn,sn etc.
> 3. There is a comment in krb5-kdc.schema v1.8: This schema is not
> usable as it contains invalid contructs. It is provided to developers
> for informational purposes only.
Kurt Z. pinpoint out this in the net. To make it usable you need no fix
the definition for the following attributes adding the ORDERING clause
attributetype ( 184.108.40.206.4.1.53220.127.116.11
attributetype ( 18.104.22.168.4.1.5322.214.171.124
attributetype ( 126.96.36.199.4.1.53188.8.131.52