Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett abartlet at samba.org
Sun Mar 7 00:24:11 GMT 2004 

On Sun, 2004-03-07 at 10:48, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
> 
> >> Shouldn't type-23 keys be stored in both entries ?
> >
> > Perhaps they should.  I'm a bit worried about storing duplicate data -
> > what do we do when they don't match.  Now, that is pretty lame, as if
> > the two representations of the type-32 key don't match, then the DES
> > keys would also be in conflict with the NT password....
> 
> Well, at least by storing the data its possible to detect mismatch. Is
> there a password changing protocol in SMB/cifs so that data can get out of
> sync ?

There certainly is a password change protocol :-)

I would not object to storing both, and asserting that they are the same
in Heimdal.  Samba can't assert that they are the same, but the only
heimdal code that is going to be used will update the Samba passwords
anyway, so it is a non-issue.

There is some work being done to implement an OpenLDAP-side 'password
set' operation, so that both Heimdal and Samba 'set' the password with
the 'password set' extended operation, and all relevant things are
updated.

> >> The db really need to store all the data, so using something like
> >> HDBEntry2OldHDBEntry wouldn't work.
> >
> > OK.
> 
> So, I integrated did a patch and almost that does this in a forward
> compatible maner by using ANY. It break forward compat, but should be ok in
> the future.
> 
> http://people.su.se/~lha/patches/heimdal/ldap-samba
> 
> But I've not tested the patch yet more then compiling it. 
> 
> You changed the structural object class from person to account, is this
> wise ?

I certainly think it is.  Person requires the account to be a real
human, and I would claim that machines are not.  Furthermore, it matches
what Samba does.

> Dunno how to express the data for ldap. Example of data that I want to
> store in the extention structure is pkinit acl's, certificates, old keys
> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> least, because that is what MS does).

People have generally found that almost anything can be shoved into
LDAP, given suffienct force ;-)

For x.509 certificates, there is a objectClass
(strongAuthenticationUser) and an attribute (userCertificate) for it
already.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040307/fd515884/attachment.bin

More information about the samba-technical mailing list