Associating Kerberos identities to LDAP object

[Sam Hartman]

>>>>> "Praveenkumar" == Praveenkumar Sahukar <psahukar at novell.com> writes:

    Praveenkumar> Additional kerberos identities will be created as
    Praveenkumar> separate krbprincipal objects. The krbprincipal
    Praveenkumar> objects will be created either in a separate
    Praveenkumar> container under realm's subtree or directly under
    Praveenkumar> the realm's subtree.  If a separate container under
    Praveenkumar> realm's subtree is dedicated for the additional
    Praveenkumar> principals then the information of this separate
    Praveenkumar> container will be stored in the realm container
    Praveenkumar> object.

First, I think that asserting the first principal will extend the
directory object is problematic.  I think you want to explicitly
distinguish between the containment and association cases; see my
previous mail.  I believe that for example you would want containment
when a principal is very tightly bound to some object.  For example
the host principal and a host object; the user principal and the user
object.  Other principals--services on a host, additional instances,
tc should be associated.

  Do you need to limit where these objects can live for
read or write?  I understand you need to limit where these objects are
created by your code, but can you just find the principal object
wherever it exists?

    Praveenkumar> Two way links between the LDAP object and the
    Praveenkumar> krbprincipal object will be created.

    Pr Why do you need two way links?  If you have two way links they
can get out of sync.