Intergrate Heimdal's hdb-ldap and Samba

Love lha at
Mon Mar 1 11:21:40 GMT 2004

Andrew Bartlett <abartlet at> writes:

> On Sun, 2004-02-29 at 23:57, Love wrote:
>> Andrew Bartlett <abartlet at> writes:
>> > Oops - I'll need to learn a bit more about how HDBentry works :-)
>> Its more asn1/der. Heimdal's asn1_compile have implicit continuations (...)
>> so parsing data is just fine, however it wont be preserved, nor it will the
>> kdc properly reject data when it doesn't understand a critical extension.
> Would you consider merging my patch if I removed the extra attributes
> (which I don't use yet)?

I considering to include your patch in heimdal doing some merge of your
patch and the proposal I have. We have to break forward compatibility at
some time (with something like hdb-extensions). There are changes that are
already not put into the tree because of this issue (per principal
configurable iteration counter for AES s2k, pkinit acl's, etc).

Reading the ldap patch I think you break backward compatibility with the
old code, like you changed how the Key was stored, to hex encoded data from
raw octets.

> I was considering that the HDBentry in the hemidal database would simply
> not change, but that when using LDAP we would present a 'richer'
> interface.   Otherwise, your proposal certainly makes sense.

Ah, so you want a diffrent interface between libhdb and libkadm5 ?

The hdb-structure is slighty entrenched into libkadm5 and the hprop/iprop
protocols. Also the kdc uses the hdb interface, so doing a new api seem to
be somewhat painful (based from a 2 min code review)

>> BTW, I've imported non ldap related parts of your patch.
> Thanks.  
> How much 'samba stuff' are you willing to tolerate in Heimdal?  
> For example, once we start updating the 'last change time', we should
> also update/honour the 'min password age' and 'must change time'
> attributes.  (Ie, query the directory for those properties, and set them
> when we update the password).

Many change that you propose above should really be part of Heimdal, so I
don't really see it as a problem to include them.

As long as the patches are clean, sane, pretty, don't to horrible things
with abstraction layers, and that someone test them properly, I have no
problem including them i Heimdal. Also, including documentation is nice, at
least some framework for it, I really don't want to write all text myself.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url :

More information about the samba-technical mailing list