Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett abartlet at
Sun Mar 7 21:26:25 GMT 2004

On Mon, 2004-03-08 at 03:33, Love wrote:
> Andrew Bartlett <abartlet at> writes:
> > There certainly is a password change protocol :-)
> >
> > I would not object to storing both, and asserting that they are the same
> > in Heimdal.  Samba can't assert that they are the same, but the only
> > heimdal code that is going to be used will update the Samba passwords
> > anyway, so it is a non-issue.
> I don't think I care that much, and just leave it as it is.
> >> You changed the structural object class from person to account, is this
> >> wise ?
> >
> > I certainly think it is.  Person requires the account to be a real
> > human, and I would claim that machines are not.  Furthermore, it matches
> > what Samba does.
> But its not what the old code does, and I guess it might break for old
> installations.

Existing entries are not touched.  So it's probably more compatible than
that the hdb changes :-)

> If I did some more guessing, its because microsoft uses person the old ldap
> code uses person.

Microsoft hacked the schema, to remove the 'sn' (surname) requirement.  

> It should be simple enough to just have a runtime option.

I think heimdal might need to move towards what Samba does, and have an
'add user script', if you really expect that the first entry in the LDAP
directory for a user, will be the heimdal entry. 

In the real world, I would have expected that if a site is going to the
pain of setting up LDAP (and it is a pain, no matter what we can do)
that the entries for the accounts would probably already exist (for
nss_ldap, for all the reasons that they wanted their data in a single
place to start with).  As such, the 'account' stuff does not come into
play, as the entry already exists.

For those things that are new, I think 'account' (or another suitable
compatible structural objectClass) is appropriate.  'person' to my mind
is not.

> >> Dunno how to express the data for ldap. Example of data that I want to
> >> store in the extention structure is pkinit acl's, certificates, old keys
> >> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> >> least, because that is what MS does).
> >
> > People have generally found that almost anything can be shoved into
> > LDAP, given suffienct force ;-)
> The idea was not to use way too much force.

But that spoils all the fun ;-)

> > For x.509 certificates, there is a objectClass
> > (strongAuthenticationUser) and an attribute (userCertificate) for it
> > already.
> I was thinking more something like microsoft's
> altSecurity(Identity|Principal) (?).

So you don't want to store the certificate, just it's 'name' for later
matching?  I can't spot an existing standard way, but we should be sure
of that before duplicating something.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list