Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett abartlet at samba.org
Sun Mar 7 21:26:25 GMT 2004 

On Mon, 2004-03-08 at 03:33, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
> 
> > There certainly is a password change protocol :-)
> >
> > I would not object to storing both, and asserting that they are the same
> > in Heimdal.  Samba can't assert that they are the same, but the only
> > heimdal code that is going to be used will update the Samba passwords
> > anyway, so it is a non-issue.
> 
> I don't think I care that much, and just leave it as it is.
> 
> >> You changed the structural object class from person to account, is this
> >> wise ?
> >
> > I certainly think it is.  Person requires the account to be a real
> > human, and I would claim that machines are not.  Furthermore, it matches
> > what Samba does.
> 
> But its not what the old code does, and I guess it might break for old
> installations.

Existing entries are not touched.  So it's probably more compatible than
that the hdb changes :-)

> If I did some more guessing, its because microsoft uses person the old ldap
> code uses person.

Microsoft hacked the schema, to remove the 'sn' (surname) requirement.  

> It should be simple enough to just have a runtime option.

I think heimdal might need to move towards what Samba does, and have an
'add user script', if you really expect that the first entry in the LDAP
directory for a user, will be the heimdal entry. 

In the real world, I would have expected that if a site is going to the
pain of setting up LDAP (and it is a pain, no matter what we can do)
that the entries for the accounts would probably already exist (for
nss_ldap, for all the reasons that they wanted their data in a single
place to start with).  As such, the 'account' stuff does not come into
play, as the entry already exists.

For those things that are new, I think 'account' (or another suitable
compatible structural objectClass) is appropriate.  'person' to my mind
is not.

> >> Dunno how to express the data for ldap. Example of data that I want to
> >> store in the extention structure is pkinit acl's, certificates, old keys
> >> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> >> least, because that is what MS does).
> >
> > People have generally found that almost anything can be shoved into
> > LDAP, given suffienct force ;-)
> 
> The idea was not to use way too much force.

But that spoils all the fun ;-)

> > For x.509 certificates, there is a objectClass
> > (strongAuthenticationUser) and an attribute (userCertificate) for it
> > already.
> 
> I was thinking more something like microsoft's
> altSecurity(Identity|Principal) (?).

So you don't want to store the certificate, just it's 'name' for later
matching?  I can't spot an existing standard way, but we should be sure
of that before duplicating something.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040308/ca4ecde4/attachment.bin

More information about the samba-technical mailing list