Principal attributes and policy in LDAP Realm
Ken Raeburn
raeburn at MIT.EDU
Wed Jun 18 09:04:53 EDT 2008
On Jun 17, 2008, at 07:57, Klaus Heinrich Kiwi wrote:
> On Mon, 2008-06-16 at 23:38 -0400, Ken Raeburn wrote:
>> I suspect there are several LDAP schemas we could do a better job of
>> supporting and integrating with...
>
> And what, in your opinion, would be the better approach to accomplish
> this task?
I don't think I'm familiar enough with LDAP in general and the various
schemas in particular to be well-qualified to answer that right now.
If the differences are minor, a single integrated back end with some
run-time configuration, as you suggest, would probably be best, but if
the differences in some of the schemas are too fundamental, it may not
be practical to support all the commonly-used ones out there with a
single database back end. Though at least some of the basic routines
for handling LDAP server config info and managing communication
channels can probably be kept common.
> What I am doing right now is using the existing KDB LDAP plugin as a
> base for a new plugin (I wonder if I should worry about namespace
> collisions later), but of course ideally we should stick with a single
> code base and have the differences handled by runtime configuration.
> I'm
> just not sure if that is feasible or not.
It sounds good to me, but I can't judge the feasibility at the moment
either.
Ken
More information about the Kerberos
mailing list