Principal attributes and policy in LDAP Realm
Ken Raeburn
raeburn at MIT.EDU
Mon Jun 16 23:38:53 EDT 2008
On Jun 16, 2008, at 22:58, Klaus Heinrich Kiwi wrote:
> thank you for your explanation. I'm still a bit confused about how KDC
> uses the TL data at the same time the KDB LDAP plugin also has some
> specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData'
> accommodate any kind of attribute we think of, just by making sure the
> type numbers doesn't collide? Or is it working some other way? Also,
> is
> tl_data an attribute for principals, realms, or both?
I think as long as the numbers don't collide, you can store whatever
you like, within the limits of the underlying database back end of
course. Naturally there's the issue of possible conflicts if multiple
database plugins or vendors start picking numbers while MIT's code
base also adds numbers.
> I'm working towards changing the upstream KDB LDAP plugin into
> supporting the IBM Schema, and that Schema brings a lot of things as
> attributes for principals and realms - I'm just trying to make sure to
> reuse the existing internal data structures whenever possible.
I suspect there are several LDAP schemas we could do a better job of
supporting and integrating with...
Ken
More information about the Kerberos
mailing list