[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch to prevent krb5Key attrs in Samba LDAP entries

Andrew Bartlett wrote:
> On Wed, 2005-05-18 at 16:46 -0400, James F. Hranicky wrote:
>>The following patch keeps Samba LDAP entries from being populated with
>>krb5Key LDAP attributes even if other Kerberos attributes are available.
>>This accomplishes the following:
>>	- ensures Heimdal and Samba share only 1 key
>>	- removes the need for the smbk5pwd overlay for Heimdal/Samba
>>	  syncing

> I still think this is the best way forward,

Agreed. Not to mention, there are also still sites that perform LDAP 
Simple Binds and other SASL secret-based mechs. Using the smbk5pwd 
overlay ensures that all of these mechs work in a unified fashion. If 
you only patch Heimdal and Samba to play with each other, you still 
haven't solved the unification problem for SASL and low-function LDAP 

> but I know it isn't easy
> changing details on the LDAP server side of things (which is why I have
> not been able to run that overlay).

Details like what, the schema definition, the ASN.1 structure of the data?

>>	- prevents the unnecessary addition of the krb5EncryptionType
>>	  attribute
>>This probably isn't the best way to handle this as there's no configuration
>>option, so I'd appreciate any comments on this issue.

> I think the last point is the key issue here.  A patch that I think
> would make more sense is one that uses the presence of an existing
> krb5key attribute to determine if it should be updated.

Again, agreed.

   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support