Principal attributes and policy in LDAP Realm

[Simo Sorce]

On Mon, 2008-06-16 at 23:58 -0300, Klaus Heinrich Kiwi wrote:
> On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote:
> 
> > The "application" data in question is indeed the MIT KDC  
> > implementation; all this stuff is internal to the MIT implementation.   
> > In src/include/kdb.h you'll find definitions of some macros KRB5_TL_*  
> > vaguely describing in their names what they're used for; for the  
> > actual definitions of the layouts, you'll have to dig around in the  
> > sources.  At the moment, it's sort of a catch-all slot for holding  
> > anything new we want to stick in there without having to redefine the  
> > XDR types we use for database records (since the old DBM-style APIs  
> > only give you "key" and "data" slots), stuff like that.
> 
> Ken,
>  thank you for your explanation. I'm still a bit confused about how KDC
> uses the TL data at the same time the KDB LDAP plugin also has some
> specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData'
> accommodate any kind of attribute we think of, just by making sure the
> type numbers doesn't collide? Or is it working some other way? Also, is
> tl_data an attribute for principals, realms, or both?
> 
> I'm working towards changing the upstream KDB LDAP plugin into
> supporting the IBM Schema, and that Schema brings a lot of things as
> attributes for principals and realms - I'm just trying to make sure to
> reuse the existing internal data structures whenever possible.

Klaus, the current Kerberos schema as implemented by MIT is not ideal,
but adding support for multiple schemas seem like a way to fragment,
wouldn't it be better to join efforts to come up with a schema we can
all standardize upon ?

Do you have pointers to the IBM schema ? I'd like to take a look at the
differences.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York