Intergrate Heimdal's hdb-ldap and Samba

Love lha at
Sun Mar 7 16:33:59 GMT 2004

Andrew Bartlett <abartlet at> writes:

> There certainly is a password change protocol :-)
> I would not object to storing both, and asserting that they are the same
> in Heimdal.  Samba can't assert that they are the same, but the only
> heimdal code that is going to be used will update the Samba passwords
> anyway, so it is a non-issue.

I don't think I care that much, and just leave it as it is.

>> You changed the structural object class from person to account, is this
>> wise ?
> I certainly think it is.  Person requires the account to be a real
> human, and I would claim that machines are not.  Furthermore, it matches
> what Samba does.

But its not what the old code does, and I guess it might break for old

If I did some more guessing, its because microsoft uses person the old ldap
code uses person.

It should be simple enough to just have a runtime option.

>> Dunno how to express the data for ldap. Example of data that I want to
>> store in the extention structure is pkinit acl's, certificates, old keys
>> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
>> least, because that is what MS does).
> People have generally found that almost anything can be shoved into
> LDAP, given suffienct force ;-)

The idea was not to use way too much force.

> For x.509 certificates, there is a objectClass
> (strongAuthenticationUser) and an attribute (userCertificate) for it
> already.

I was thinking more something like microsoft's
altSecurity(Identity|Principal) (?).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url :

More information about the samba-technical mailing list