[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Patch to prevent krb5Key attrs in Samba LDAP entries
Andrew Bartlett wrote:
> On Wed, 2005-05-18 at 16:46 -0400, James F. Hranicky wrote:
>>The following patch keeps Samba LDAP entries from being populated with
>>krb5Key LDAP attributes even if other Kerberos attributes are available.
>>This accomplishes the following:
>> - ensures Heimdal and Samba share only 1 key
>> - removes the need for the smbk5pwd overlay for Heimdal/Samba
> I still think this is the best way forward,
Agreed. Not to mention, there are also still sites that perform LDAP
Simple Binds and other SASL secret-based mechs. Using the smbk5pwd
overlay ensures that all of these mechs work in a unified fashion. If
you only patch Heimdal and Samba to play with each other, you still
haven't solved the unification problem for SASL and low-function LDAP
> but I know it isn't easy
> changing details on the LDAP server side of things (which is why I have
> not been able to run that overlay).
Details like what, the schema definition, the ASN.1 structure of the data?
>> - prevents the unnecessary addition of the krb5EncryptionType
>>This probably isn't the best way to handle this as there's no configuration
>>option, so I'd appreciate any comments on this issue.
> I think the last point is the key issue here. A patch that I think
> would make more sense is one that uses the presence of an existing
> krb5key attribute to determine if it should be updated.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support