Intergrate Heimdal's hdb-ldap and Samba
abartlet at samba.org
Sun Mar 7 21:26:25 GMT 2004
On Mon, 2004-03-08 at 03:33, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
> > There certainly is a password change protocol :-)
> > I would not object to storing both, and asserting that they are the same
> > in Heimdal. Samba can't assert that they are the same, but the only
> > heimdal code that is going to be used will update the Samba passwords
> > anyway, so it is a non-issue.
> I don't think I care that much, and just leave it as it is.
> >> You changed the structural object class from person to account, is this
> >> wise ?
> > I certainly think it is. Person requires the account to be a real
> > human, and I would claim that machines are not. Furthermore, it matches
> > what Samba does.
> But its not what the old code does, and I guess it might break for old
Existing entries are not touched. So it's probably more compatible than
that the hdb changes :-)
> If I did some more guessing, its because microsoft uses person the old ldap
> code uses person.
Microsoft hacked the schema, to remove the 'sn' (surname) requirement.
> It should be simple enough to just have a runtime option.
I think heimdal might need to move towards what Samba does, and have an
'add user script', if you really expect that the first entry in the LDAP
directory for a user, will be the heimdal entry.
In the real world, I would have expected that if a site is going to the
pain of setting up LDAP (and it is a pain, no matter what we can do)
that the entries for the accounts would probably already exist (for
nss_ldap, for all the reasons that they wanted their data in a single
place to start with). As such, the 'account' stuff does not come into
play, as the entry already exists.
For those things that are new, I think 'account' (or another suitable
compatible structural objectClass) is appropriate. 'person' to my mind
> >> Dunno how to express the data for ldap. Example of data that I want to
> >> store in the extention structure is pkinit acl's, certificates, old keys
> >> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> >> least, because that is what MS does).
> > People have generally found that almost anything can be shoved into
> > LDAP, given suffienct force ;-)
> The idea was not to use way too much force.
But that spoils all the fun ;-)
> > For x.509 certificates, there is a objectClass
> > (strongAuthenticationUser) and an attribute (userCertificate) for it
> > already.
> I was thinking more something like microsoft's
> altSecurity(Identity|Principal) (?).
So you don't want to store the certificate, just it's 'name' for later
matching? I can't spot an existing standard way, but we should be sure
of that before duplicating something.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040308/ca4ecde4/attachment.bin
More information about the samba-technical