Principal attributes and policy in LDAP Realm

Klaus Heinrich Kiwi klausk at linux.vnet.ibm.com
Mon Jun 16 22:58:03 EDT 2008


On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote:

> The "application" data in question is indeed the MIT KDC  
> implementation; all this stuff is internal to the MIT implementation.   
> In src/include/kdb.h you'll find definitions of some macros KRB5_TL_*  
> vaguely describing in their names what they're used for; for the  
> actual definitions of the layouts, you'll have to dig around in the  
> sources.  At the moment, it's sort of a catch-all slot for holding  
> anything new we want to stick in there without having to redefine the  
> XDR types we use for database records (since the old DBM-style APIs  
> only give you "key" and "data" slots), stuff like that.

Ken,
 thank you for your explanation. I'm still a bit confused about how KDC
uses the TL data at the same time the KDB LDAP plugin also has some
specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData'
accommodate any kind of attribute we think of, just by making sure the
type numbers doesn't collide? Or is it working some other way? Also, is
tl_data an attribute for principals, realms, or both?

I'm working towards changing the upstream KDB LDAP plugin into
supporting the IBM Schema, and that Schema brings a lot of things as
attributes for principals and realms - I'm just trying to make sure to
reuse the existing internal data structures whenever possible.

 Thanks,

 -Klaus



-- 
Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center




More information about the Kerberos mailing list