Associating Kerberos identities to LDAP object

[Will Fiveash]

On Wed, Jul 26, 2006 at 08:13:27AM -0400, Sam Hartman wrote:
> >>>>> "Praveenkumar" == Praveenkumar Sahukar <psahukar at novell.com> writes:
> 
>     Praveenkumar> Additional kerberos identities will be created as
>     Praveenkumar> separate krbprincipal objects. The krbprincipal
>     Praveenkumar> objects will be created either in a separate
>     Praveenkumar> container under realm's subtree or directly under
>     Praveenkumar> the realm's subtree.  If a separate container under
>     Praveenkumar> realm's subtree is dedicated for the additional
>     Praveenkumar> principals then the information of this separate
>     Praveenkumar> container will be stored in the realm container
>     Praveenkumar> object.
> 
> First, I think that asserting the first principal will extend the
> directory object is problematic.  I think you want to explicitly
> distinguish between the containment and association cases; see my
> previous mail.  I believe that for example you would want containment
> when a principal is very tightly bound to some object.  For example
> the host principal and a host object; the user principal and the user
> object.  Other principals--services on a host, additional instances,
> tc should be associated.
> 
>   Do you need to limit where these objects can live for
> read or write?  I understand you need to limit where these objects are
> created by your code, but can you just find the principal object
> wherever it exists?

I agree that the LDAP plugin should not hard-code assumptions about
whether krb principal attributes are to be mixed in with an existing
object or that a new krb principal structural object will be created.

(I'll comment more on Sam's other e-mails regarding this topic.)
-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)