Associating Kerberos identities to LDAP object
hartmans at MIT.EDU
Wed Jul 26 08:13:27 EDT 2006
>>>>> "Praveenkumar" == Praveenkumar Sahukar <psahukar at novell.com> writes:
Praveenkumar> Additional kerberos identities will be created as
Praveenkumar> separate krbprincipal objects. The krbprincipal
Praveenkumar> objects will be created either in a separate
Praveenkumar> container under realm's subtree or directly under
Praveenkumar> the realm's subtree. If a separate container under
Praveenkumar> realm's subtree is dedicated for the additional
Praveenkumar> principals then the information of this separate
Praveenkumar> container will be stored in the realm container
First, I think that asserting the first principal will extend the
directory object is problematic. I think you want to explicitly
distinguish between the containment and association cases; see my
previous mail. I believe that for example you would want containment
when a principal is very tightly bound to some object. For example
the host principal and a host object; the user principal and the user
object. Other principals--services on a host, additional instances,
tc should be associated.
Do you need to limit where these objects can live for
read or write? I understand you need to limit where these objects are
created by your code, but can you just find the principal object
wherever it exists?
Praveenkumar> Two way links between the LDAP object and the
Praveenkumar> krbprincipal object will be created.
Pr Why do you need two way links? If you have two way links they
can get out of sync.
More information about the krbdev