Principal attributes and policy in LDAP Realm

Ken Raeburn raeburn at MIT.EDU
Wed Jun 18 09:04:53 EDT 2008


On Jun 17, 2008, at 07:57, Klaus Heinrich Kiwi wrote:
> On Mon, 2008-06-16 at 23:38 -0400, Ken Raeburn wrote:
>> I suspect there are several LDAP schemas we could do a better job of
>> supporting and integrating with...
>
> And what, in your opinion, would be the better approach to accomplish
> this task?

I don't think I'm familiar enough with LDAP in general and the various  
schemas in particular to be well-qualified to answer that right now.   
If the differences are minor, a single integrated back end with some  
run-time configuration, as you suggest, would probably be best, but if  
the differences in some of the schemas are too fundamental, it may not  
be practical to support all the commonly-used ones out there with a  
single database back end.  Though at least some of the basic routines  
for handling LDAP server config info and managing communication  
channels can probably be kept common.

> What I am doing right now is using the existing KDB LDAP plugin as a
> base for a new plugin (I wonder if I should worry about namespace
> collisions later), but of course ideally we should stick with a single
> code base and have the differences handled by runtime configuration.  
> I'm
> just not sure if that is feasible or not.

It sounds good to me, but I can't judge the feasibility at the moment  
either.

Ken



More information about the Kerberos mailing list