concerns with ldap plugin and 1.5

Henry B. Hotz hotz at jpl.nasa.gov
Fri Jun 9 21:03:45 EDT 2006 

On Jun 9, 2006, at 5:25 PM, Nicolas Williams wrote:

> On Fri, Jun 09, 2006 at 04:53:10PM -0700, Henry B. Hotz wrote:
>> You ought to be able to infer the dn from the principal name, based
>> on the (probably default) realm's configuration information.  In
>> other words "add hotz" should do the right thing.
>
> You can't always, not at principal creation time.
>
> The problem is that the kadmin create_principal command, and the
> protocol itself lack a way to convey principal type information.

The two main "types" (my definition, possibly not yours) are "users"  
which are a single component name+realm, and "services" which are a  
two-component name where the second is a FQDN.  Seems easy enough to  
infer which is which.  Maybe you've got some other things like */ 
admin and */batch that get mapped differently, but that should be  
generic config info, not something you have to put on a kadmin add  
command IMO.

> Without principal name type information there are situations where the
> intended principal name type, and therefore, possibly, LDAP class  
> and DN
> of the intended LDAP object, cannot be unambiguously determined.

I think the special cases like kdamin/changepw and krbtgt/* could  
require extra options for correct handling.  They need special  
handling anyway.  Be better if they don't though.

Is that what you mean?

> foo at BAR.COM might be intended to be a user principal, if a user exists
> with the name 'foo' in that organization.  Then again, this might be
> something else.

Yeah, but do we have to make everything hard just to be able to  
handle the oddball stuff?

> Nico
> -- 

I don't know much about MIT's "policy" data.  Does it help if you  
associate the necessary LDAP mappings with that data instead of the  
realm?

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list