LDAP schema questions

[Andrew Bartlett]

Sorry to be coming late to this discussion, but as I've just been tasked
with working with the MIT Kerberos LDAP backend, and I have some
questions and concerns as to the schema:   (I have the schmea from
current SVN, noted as Version 1.3, 2005)

In particular, I'm surprised by the format of the krbSecretKey
attribute:

It seems to me that about a dozen different attributes have been placed
into this attribute.  Why is a such a complex structure used?  The
Heimdal schema (which I am more familure with) encodes many of these as
separate attributes.  I'm thinking in particular of the times: why not
use pwdLastSet, or at worst a 'krb5KeyLastSet'?  Likewise, why is there
duplication between the krbPrincipalName and part of the krbSecretKey?

Likewise, why are the keys not in a multivalued attribute?  (Heimdal
uses an asn1 structure to combine the key and salt, then places them
into each value of the multivalued attribute)

Also, the document specifies many time attributes, but I'm unclear what
all the time formats are.  In particular, is krbMaxPwdLife in seconds?  

I share some of the concerns already expressed regarding the server
configuration in LDAP, but this worries me less than the user/principal
records.

My interest here is that I've been asked to make Samba4's LDAP server
produce records suitable for the consumption by the MIT KDC (likely
modified, but hopefully without drastic changes). 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060606/dcd193c6/attachment.bin