LDAP schema questions
Luke Howard
lukeh at padl.com
Tue Jun 13 08:13:18 EDT 2006
>Unless you require that there exist no more than a single principal
>per user object then you will have to lock and update multiple objects
>as part of the transaction.
I would recommend that there be 1:1 mapping between a principal entry
in the directory and a principal in Kerberos.
Whether the principal entry is associated with a "user" or "person" in
the directory by association, containment, or auxiliary class should
be a deployment decision. This is the approach we are adopting for
RFC2307bis (with the exception that we will specify the attribute used
to reference the associated object in the case association is used).
Examples:
(a) association
dn: cn=Luke the Person,o=foo
objectclass: Person
dn: cn=Luke the Principal,o=bar
objectclass: Principal
seeAlso: cn=Luke the Person,o=foo
(b) containment
dn: cn=Luke the Person,o=foo
objectclass: Person
dn: cn=Luke the Principal,cn=Luke the Person,o=foo
objectclass: Principal
(c) auxiliary class
dn: cn=Luke the Person and Principal,o=foo
objectclass: Person
objectclass: Principal
-- Luke
--
More information about the krbdev
mailing list