LDAP Schema Design Suggestions?
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Oct 24 21:19:04 EDT 2006
No, I'm not talking about using LDAP to store the back-end for a KDC.
I'm wondering if there are any thoughts or wisdom related to RFC 2307
(or successors) about how to store meta-information about Kerberos
principals. That RFC defines schema's for "machines" and things with
IP numbers. I also need to associate an "owner" for non-people
principals.
Probably incomplete list of information needed for non-people
principals:
Owner (either a uid for a given search base, or else a real-person
principal)
Backup Owner (in case the primary vanishes)
Renewal Date (so we can clean up, and maybe rotate keys)
Maybe a reference to the machine entry, if it isn't part of the
machine entry already.
For a machine, maybe a list of service principals extant?
Excuse the stream-of-consciousness presentation. Trying to put this
in more formal requirements:
A machine may have multiple IP numbers.
An IP number may have multiple service principals.
A service principal has (at least) an owner, backup owner, and
renewal date. (Maybe some duplicated info from the Kerberos DB.)
A service principal may be used to bind to LDAP (to get info about
users).
Are there any standard object classes (besides what's in 2307) that I
might use? Any suggestions, comments?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list