LDAP schema questions

Jeffrey Altman jaltman at MIT.EDU
Tue Jun 13 11:18:54 EDT 2006 

Jeffrey Altman wrote:
> K.G. Gokulavasan wrote:
>>>>> On 6/10/06 at 10:05 PM, in message <tslbqt1x93b.fsf at cz.mit.edu>,
>> Sam Hartman
>> <hartmans at MIT.EDU> wrote:
>>>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>>>     Jeffrey> All of these principals must be associated with my user
>>>     Jeffrey> account since their usage specifies actions performed
>> by
>>>     Jeffrey> me.
>>>
>>>
>>> Sure, but it seems that perhaps one principal could live in the user
>>> object and the rest could be linked to the user object.
>>>
>> If we like to use some common attribute across all identities, then it
>> may involve more than one ldap search. For e.g., if we want to use "Last
>> Password Change" attribute on the User object for kerberos principals
>> also, then it will involve first ldap search to find the user object
>> from the principal object(using the link) and then another search to
>> find the value from the user object. So to get additional principal
>> information from User object or to get any User information from the
>> additional principal object will involve more than one ldap search.
>> Moreover if we want to have a common password and synchronize it across
>> other identities(kerberos keys), then whenever the user password is
>> changed, all the principal object's kerberos keys have to be changed.
>> This will end up in updating more than one object and we have to
>> maintain atomicity here. Otherwise there will be inconsistency with
>> respect to password.
>>
>> Regards,
>>  Gokul.
> 
> Gokul:
> 
> Unless you require that there exist no more than a single principal
> per user object then you will have to lock and update multiple objects
> as part of the transaction.
> 
> Are you planning on requiring a one to one relationship between user
> and principal?
> 
> Jeffrey Altman

Sam reminds me that LDAP provides no mechanism for locking objects
and that applications built on top of LDAP traditionally live without
transaction semantics.

Jeffrey Altman

More information about the krbdev mailing list