Lists of LDAP requirements

Savitha R rsavitha at
Mon Jul 31 09:23:56 EDT 2006

Comments tagged with <Savitha>

On Tue, 2006-07-18 at 14:23 -0500, Will Fiveash wrote:
> On Mon, Jul 17, 2006 at 05:37:07PM -0400, Sam Hartman wrote:
> > 
> > 
> > HI.  Hi.  Two weeks ago I asked people interested in working on the
> > LDAP plugin to send in the list of issues they want to see fixed for
> > 1.6.
> > 
> > I have only seen MIT's list.
> > 
> > I was sort of expecting something from at least Sun and Novell.
> I've attached the current set of Sun requested LDAP plugin issues.
- I Schema
2 No schema versioning support
  Novell has shipped the current schema so any change to current
  schema will need a new version #.
<Savitha>The schema version can be determined by probing for the new 
attributes/classes introduced. 
Most of the other schema issues have been taken care of in the
modified schema<Savitha>

 - III Admin interface consistency 
2 Is kdb5_ldap_util really necessary? 
<Savitha>There seems to be very little in common between the
options and commands in kdb5_util and kdb5_ldap_util. The create/modify
realm commands have a huge number of options which are specific to LDAP
backend, The commands to modify, view realms and create, modify, view,
list and destroy policies are available for the LDAP backend only. It
would be better to keep the two utilities separate. 
dump and load functionality can be added in the future to handle the 
migration from db2 to LDAP backend and vice-versa.<Savitha>

- IV DIT (Directory Information Tree)
   - 1 LDAP plugin should support more than 1 principal associated with
a non-krbprincipal object 
<Savitha>The approach for this has been posted. Let us know your
comments  on this.<Savitha>

- VII k*.conf parameters and the krbrealmcontainer object       
   - 1 k*.conf parameters must take precedence over krbrealmcontainer    
object attributes (or any other dir. object). 
<Savitha>Currently, only k*.conf parameters are used. 
When the support to read these attributes from the realm object is 
added, k*.conf should take precedence over the directory object <Savitha>        

   - 2 There should not be any default k*.conf parameters values for
      krbrealmcontainerobject, only values specified by admin.
      Currently the LDAP code is creating krbrealmcontainer entries
      with supported_enctypes filled in.  This is not good. 
<Savitha>Agreed. The LDAP code should not fill in these types. 
It should take only the values configured by the administrator.<Savitha>
   - 3 krbrealmcontainer parameters should also be supported by k*.conf
      files For example the krbsubtree attribute in the krbrealmcontainer
      should have an analogous kdc.conf parameter in the realms section.
      Creation of a krbrealmcontainer should be optional. 
<Savitha>The idea is to move as much information as possible to the 
directory and use file to override the configuration in directory,<Savitha>


More information about the krbdev mailing list