LDAP schema questions
Jeffrey Altman
jaltman at MIT.EDU
Tue Jun 13 07:52:31 EDT 2006
K.G. Gokulavasan wrote:
>
>>>> On 6/10/06 at 10:05 PM, in message <tslbqt1x93b.fsf at cz.mit.edu>,
> Sam Hartman
> <hartmans at MIT.EDU> wrote:
>>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>> Jeffrey> All of these principals must be associated with my user
>> Jeffrey> account since their usage specifies actions performed
> by
>> Jeffrey> me.
>>
>>
>> Sure, but it seems that perhaps one principal could live in the user
>> object and the rest could be linked to the user object.
>>
> If we like to use some common attribute across all identities, then it
> may involve more than one ldap search. For e.g., if we want to use "Last
> Password Change" attribute on the User object for kerberos principals
> also, then it will involve first ldap search to find the user object
> from the principal object(using the link) and then another search to
> find the value from the user object. So to get additional principal
> information from User object or to get any User information from the
> additional principal object will involve more than one ldap search.
> Moreover if we want to have a common password and synchronize it across
> other identities(kerberos keys), then whenever the user password is
> changed, all the principal object's kerberos keys have to be changed.
> This will end up in updating more than one object and we have to
> maintain atomicity here. Otherwise there will be inconsistency with
> respect to password.
>
> Regards,
> Gokul.
Gokul:
Unless you require that there exist no more than a single principal
per user object then you will have to lock and update multiple objects
as part of the transaction.
Are you planning on requiring a one to one relationship between user
and principal?
Jeffrey Altman
More information about the krbdev
mailing list