LDAP schema questions

[Luke Howard]

>It seems to me that about a dozen different attributes have been placed
>into this attribute.  Why is a such a complex structure used?  The
>Heimdal schema (which I am more familure with) encodes many of these as
>separate attributes.  I'm thinking in particular of the times: why not
>use pwdLastSet, or at worst a 'krb5KeyLastSet'?  Likewise, why is there
>duplication between the krbPrincipalName and part of the krbSecretKey?

Is it to store the salting principal perhaps in case the principal is
renamed? I really need to look at the code (is there are websvn link
anywhere?)

Note that pwdLastSet is an AD-ism, you probably don't want this in a
generic backend.

Also storing the key in a single-valued attribute may have some advantages
as far as atomicity is concerned, depending on the replication model.

-- Luke

--