concerns with ldap plugin and 1.5

[Henry B. Hotz]

On Jun 1, 2006, at 1:22 PM, krbdev-request at mit.edu wrote:

> Date: Thu, 1 Jun 2006 15:22:36 -0500
> From: Will Fiveash <William.Fiveash at sun.com>
> Subject: Re: concerns with ldap plugin and 1.5
> To: Praveenkumar Sahukar <psahukar at novell.com>
> Cc: MIT Kerberos Dev List <krbdev at mit.edu>
> Message-ID: <20060601202236.GA4031 at sun.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Jun 01, 2006 at 05:25:35AM -0600, Praveenkumar Sahukar wrote:
>>>>> On Thu, Jun 1, 2006 at  6:23 AM, in message
>> <20060601005356.GA27225 at sun.com>,
>> Will Fiveash <William.Fiveash at sun.com> wrote:
>>> I have a number of concerns regarding the ldap plugin and schema in
>>> the
>>> upcoming MIT 1.5 release:
>>>
>>>
>>> -  How is an existing db2 KDB migrated to a LDAP/Directory based
>> KDB?
>>
>> We are designing a migration tool for migrating the MIT db2 KDB to  
>> LDAP
>> database.
>
> Why can't one do a kdb5_util dump with the db2 KDB then reconfigure to
> use the ldap plugin, initialize the directory for KDB use, then use
> kdb5_util load to populate the ldap KDB?
>
> Without this support, many customers are not going to be happy.

I'm slightly boggled that this wasn't part of the original design.

I would expect a basic dump/reconfigure/restore as the normal upgrade  
procedure for any change in (functionally hidden) back-ends.  Since  
the back-end isn't hidden from the normal user/admin interface,  
suddenly you have a whole new class of things that need explaining  
and documenting.  Also the trade-offs among back-ends are no longer  
obvious.

Of course I'm a Heimdal user who doesn't actually use the LDAP back- 
end support (and doesn't currently plan to).  Take my comment as  
being perhaps naive.

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu