LDAP schema questions
Jeffrey Altman
jaltman at columbia.edu
Thu Jun 8 11:22:34 EDT 2006
Andrew Bartlett wrote:
> On Thu, 2006-06-08 at 22:44 +1000, Luke Howard wrote:
>>>> Having all the user's information in a single object will help in
>>>> administration.
>>> I just don't buy this. And in any case, if there is the need to keep
>>> these entries close to each other, why not put them 'under' the user in
>>> the tree, ensuring they must be deleted with the user?
>> There are cases whether either is useful. Using an auxiliary class gives
>> you the flexibility to adopt either approach.
>
> Yep. For the vast majority of cases, where a user only has one
> principal, I would of course like to see it on the user's record. It is
> the 'a user might have multiple principals, so we need this complex
> attribute' thing that I don't buy.
>
> Andrew Bartlett
Andrew:
it is common practice to assign users multiple principals so that the
user can have one for interactive logins and others for specialized
purposes. For example, I have at one organization:
jaltman at REALM
jaltman/admin at REALM
jaltman/batch at REALM
The admin principal is self explanatory. The batch principal is used
to produce a keytab with a strong random key that can be used for long
running background tasks.
All of these principals must be associated with my user account since
their usage specifies actions performed by me.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3323 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060608/39899f26/attachment.bin
More information about the krbdev
mailing list