LDAP schema questions
K.G. Gokulavasan
kgokulavasan at novell.com
Tue Jun 13 07:44:30 EDT 2006
>>> On 6/10/06 at 10:05 PM, in message <tslbqt1x93b.fsf at cz.mit.edu>,
Sam Hartman
<hartmans at MIT.EDU> wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>
> Jeffrey> All of these principals must be associated with my user
> Jeffrey> account since their usage specifies actions performed
by
> Jeffrey> me.
>
>
> Sure, but it seems that perhaps one principal could live in the user
> object and the rest could be linked to the user object.
>
If we like to use some common attribute across all identities, then it
may involve more than one ldap search. For e.g., if we want to use "Last
Password Change" attribute on the User object for kerberos principals
also, then it will involve first ldap search to find the user object
from the principal object(using the link) and then another search to
find the value from the user object. So to get additional principal
information from User object or to get any User information from the
additional principal object will involve more than one ldap search.
Moreover if we want to have a common password and synchronize it across
other identities(kerberos keys), then whenever the user password is
changed, all the principal object's kerberos keys have to be changed.
This will end up in updating more than one object and we have to
maintain atomicity here. Otherwise there will be inconsistency with
respect to password.
Regards,
Gokul.
More information about the krbdev
mailing list