Associating Kerberos identities to LDAP object
William.Fiveash at sun.com
Thu Jul 27 17:36:10 EDT 2006
On Wed, Jul 26, 2006 at 08:13:27AM -0400, Sam Hartman wrote:
> >>>>> "Praveenkumar" == Praveenkumar Sahukar <psahukar at novell.com> writes:
> Praveenkumar> Additional kerberos identities will be created as
> Praveenkumar> separate krbprincipal objects. The krbprincipal
> Praveenkumar> objects will be created either in a separate
> Praveenkumar> container under realm's subtree or directly under
> Praveenkumar> the realm's subtree. If a separate container under
> Praveenkumar> realm's subtree is dedicated for the additional
> Praveenkumar> principals then the information of this separate
> Praveenkumar> container will be stored in the realm container
> Praveenkumar> object.
> First, I think that asserting the first principal will extend the
> directory object is problematic. I think you want to explicitly
> distinguish between the containment and association cases; see my
> previous mail. I believe that for example you would want containment
> when a principal is very tightly bound to some object. For example
> the host principal and a host object; the user principal and the user
> object. Other principals--services on a host, additional instances,
> tc should be associated.
> Do you need to limit where these objects can live for
> read or write? I understand you need to limit where these objects are
> created by your code, but can you just find the principal object
> wherever it exists?
I agree that the LDAP plugin should not hard-code assumptions about
whether krb principal attributes are to be mixed in with an existing
object or that a new krb principal structural object will be created.
(I'll comment more on Sam's other e-mails regarding this topic.)
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev