Intergrate Heimdal's hdb-ldap and Samba
Andrew Bartlett
abartlet at samba.org
Sun Mar 7 21:26:25 GMT 2004
On Mon, 2004-03-08 at 03:33, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
>
> > There certainly is a password change protocol :-)
> >
> > I would not object to storing both, and asserting that they are the same
> > in Heimdal. Samba can't assert that they are the same, but the only
> > heimdal code that is going to be used will update the Samba passwords
> > anyway, so it is a non-issue.
>
> I don't think I care that much, and just leave it as it is.
>
> >> You changed the structural object class from person to account, is this
> >> wise ?
> >
> > I certainly think it is. Person requires the account to be a real
> > human, and I would claim that machines are not. Furthermore, it matches
> > what Samba does.
>
> But its not what the old code does, and I guess it might break for old
> installations.
Existing entries are not touched. So it's probably more compatible than
that the hdb changes :-)
> If I did some more guessing, its because microsoft uses person the old ldap
> code uses person.
Microsoft hacked the schema, to remove the 'sn' (surname) requirement.
> It should be simple enough to just have a runtime option.
I think heimdal might need to move towards what Samba does, and have an
'add user script', if you really expect that the first entry in the LDAP
directory for a user, will be the heimdal entry.
In the real world, I would have expected that if a site is going to the
pain of setting up LDAP (and it is a pain, no matter what we can do)
that the entries for the accounts would probably already exist (for
nss_ldap, for all the reasons that they wanted their data in a single
place to start with). As such, the 'account' stuff does not come into
play, as the entry already exists.
For those things that are new, I think 'account' (or another suitable
compatible structural objectClass) is appropriate. 'person' to my mind
is not.
> >> Dunno how to express the data for ldap. Example of data that I want to
> >> store in the extention structure is pkinit acl's, certificates, old keys
> >> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> >> least, because that is what MS does).
> >
> > People have generally found that almost anything can be shoved into
> > LDAP, given suffienct force ;-)
>
> The idea was not to use way too much force.
But that spoils all the fun ;-)
> > For x.509 certificates, there is a objectClass
> > (strongAuthenticationUser) and an attribute (userCertificate) for it
> > already.
>
> I was thinking more something like microsoft's
> altSecurity(Identity|Principal) (?).
So you don't want to store the certificate, just it's 'name' for later
matching? I can't spot an existing standard way, but we should be sure
of that before duplicating something.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040308/ca4ecde4/attachment.bin
More information about the samba-technical
mailing list