LDAP schema questions
Andrew Bartlett
abartlet at samba.org
Tue Jun 6 20:55:59 EDT 2006
On Wed, 2006-06-07 at 10:43 +1000, Luke Howard wrote:
> >It seems to me that about a dozen different attributes have been placed
> >into this attribute. Why is a such a complex structure used? The
> >Heimdal schema (which I am more familure with) encodes many of these as
> >separate attributes. I'm thinking in particular of the times: why not
> >use pwdLastSet, or at worst a 'krb5KeyLastSet'? Likewise, why is there
> >duplication between the krbPrincipalName and part of the krbSecretKey?
>
> Is it to store the salting principal perhaps in case the principal is
> renamed?
No, the salt is stored with each key.
> I really need to look at the code (is there are websvn link
> anywhere?)
svn://anonsvn.mit.edu/krb5/branches/ldap-integ
> Note that pwdLastSet is an AD-ism, you probably don't want this in a
> generic backend.
OK, but I still think we should be trying to have a single 'password
last changed' attribute (and synchronized passwords), rather than
pretending that users want to remember if they are typing their samba,
kerberos or shadow password...
> Also storing the key in a single-valued attribute may have some advantages
> as far as atomicity is concerned, depending on the replication model.
This I can understand, but unless you put all passwords into a single
blob, don't you just push the problem to syncronisation with other
password attributes?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060606/f938419c/attachment.bin
More information about the krbdev
mailing list