An alternative plan for principal mapping

Sam Hartman hartmans at MIT.EDU
Wed Aug 2 22:29:30 EDT 2006

>>>>> "Rahul" == Rahul Srinivas <srahul at> writes:

I think the core of our discussion is the following claim:

    Rahul> Moreover, principals
    Rahul> linked to a directory object have the same 'status' as
    Rahul> principals added to the object (through auxiliary
    Rahul> class). The link is to be used only when the principal
    Rahul> can't be directly added to the directory object. So, if the
    Rahul> LDAP plugin can add a principal to a user (through
    Rahul> auxiliary class), it should also be ablr to create links.

I question whether it is true that adding an auxiliary class to a
directory object should have the same semantic meaning as adding a
link.  I understand you believe the answer is yes.  My best guess from
a data modeling standpoint is that these operations have different
semantic meaning: linking implies a more distant relationship.  So it
would be inappropriate for the plugin to treat  them the same.

LDAP experts I've talked to seem to agree with this interpretation.

We need to find some way to resolve this disagreement.

    Rahul> Hi,
    >> I don't see why the DAL plugin needs to handle links from
    >> kerberos principals to other objects.  It seems better to move
    >> that handling into the code that understands the other objects
    >> and better understands the information model of the directory.
    >> Kerberos could at best maintain such links, but Kerberos is
    >> going to be no better at maintaining the links that something
    >> else.  And if such links are useful, it is clear you have a
    >> something else.

    Rahul> A link between a Kerberos principal object and a directory
    Rahul> user object is needed for two reasons.  1. The KDC should
    Rahul> apply the user's login policies and password policies to
    Rahul> the principal.  2. When the principal authenticates to a
    Rahul> service, the service will use the link to find which user
    Rahul> the principal belongs to and grant appropriate access.
    Rahul> Since it is the KDC which needs the link (reason 1 above),

Do reason 1 and 2 actually require the same type of link?

Also, I believe that Luke's question needs to be answered: how can we
accomplish 1 in a portable manner?


More information about the krbdev mailing list