LDAP schema questions

K.G. Gokulavasan kgokulavasan at novell.com
Fri Jun 16 06:39:06 EDT 2006 


>>> On 6/14/06 at 7:04 AM, in message
<200606140134.k5E1YJBM042446 at au.padl.com>,
Luke Howard <lukeh at padl.com> wrote:

>>###### The principal data auxiliary class. Holds principal
information
>>###### and is used to store principal information for Users and any
services.
>>dn: cn=schema
>>changetype: modify
>>add: objectclasses
>>objectClasses: ( 2.16.840.1.113719.1.301.6.8
>>                NAME 'krbPrincipalAux'
>>                AUXILIARY
>>                MAY ( krbPrincipalName $ krbUPEnabled $ krbSecretKey
$
>>                      krbPolicyReference $ krbPrincipalExpiration $
>>                      krbPasswordExpiration ) )
>>
>>###### This object is created to hold principals of type other than
USER.
>>
>>dn: cn=schema
>>changetype: modify
>>add: objectclasses
>>objectClasses: ( 2.16.840.1.113719.1.301.6.9
>>                NAME 'krbPrincipal'
>>                SUP ( top )
>>                MUST ( krbPrincipalName )
>>                MAY ( krbPrincipalType )
>>                X-NDS_NAMING 'krbPrincipalName'
>>                X-NDS_CONTAINMENT ( 'organization'
'organizationalUnit'
>>                                    'domain' 'krbRealmContainer'
>>                                    'country' 'locality' )
>>                X-NDS_NOT_CONTAINER '1')
> 
> Is this supposed to be STRUCTURAL? This should be specified in the
schema
> defintion.
> 

"STRUCTURAL" is not explicitly mentioned in any of the structural
class. I will update it.
 
>>While krbSecretKey contains the principal name to associate it with
a
>>principal, the other attributes do not.  I'm assuming then that the
only
>>way to associate more than 1 principal with a user requires use of a
>>krbPrincipal object if the krbPrincipalAux attributes differ between
the
>>principals.  Is this correct?
> 
> That seems to make sense to me, although it puzzles me why
krbPrincipalType
> is here and not in krbPrincipalAux. Where does the principal type
come from
> if krbPrincipalAux is associated with another object class, such as
person?
> Is it assumed to be a fixed value? What if I want to use another
structural
> object class with a different name type?
> 
Currently the krbPrincipalAux is associated with inetOrgPerson object
only. But it can be associated with other object classes also. I will
include krbPrincipalType to the krbPrincipalAux class.

> (Also, let's be careful not to let any eDirectory assumptions creep
in, eg.
> Universal Passwords cf. krbUPEnabled, the "user" object class, etc.)
> 
krbUpEnabled(Kerberos User Password Enabled) is whether is to use
user's(person) password as the kerberos password. If there is a way to
retrieve clear text password from ldap directory and if they want to use
it for kerberos keys(keys can be generated from the clear text password)
also, then this attribute can be used to control it.

I will remove the mentioning of "user" object class and mention the
appropriate openldap object class.

Regards,
 Gokul.

More information about the krbdev mailing list